Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Feb-2016 18:21 GMT

Feedback Sign Up Unsubscribe         Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2.200 Alert Type: New File File Name: asa952-203-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2.200 Alert Type: New File File Name: asa952-203-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Alert Type: New File File Name: asa917-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2.200 Alert Type: New File File Name: asa952-203-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Alert Type: New File File Name: asa917-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Alert Type: New File File Name: asa917-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Alert Type: New File File Name: asa917-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2.200 Alert Type: New File File Name: asa952-203-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Alert Type: New File File Name: asa917-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2.200 Alert Type: New File File Name: asa952-203-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Context Directory Agent (CDA) Release Version: CDA Alert Type: New File File Name: cda-patchbundle-1.0.0.011-5.i386.tar.gz File Description: Cisco Context Directory Agent v 1.0.0.11 patch 5 File Release Date: 05-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2.200 Alert Type: New File File Name: asa952-203-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 28-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7.SMP Alert Type: New File File Name: asa917-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-JAN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Alert Type:   Suggested: 9.4.1 Interim ; 9.2.4.SMP ; 9.1.6 Interim     Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752-153.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 21-JAN-2016 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Firewalls Alert Type: Updated * Bug Id: CSCut48009 Title: Traceback in thread CP Processing Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA Crashes in CP Processing Thread Conditions: -- Skinny inspection enabled. -- Skinny traffic contains StopMediaTransmission messages that are carried in the same packet as a StartMediaTransmission, StarMediaTransmissionACK, or a StartMediaAnnouncement. -- Depending on the how many of the above messages are seen the issue can take some time to happen (the more messages seen the faster the issue can happen). Workaround: Disable Skinny Inspection Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5.19) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.13), 100.14(26.10), 100.14(5.14), 100.14(6.12) Alert Type: Updated * Bug Id: CSCuu84085 Title: DHCP-DHCP Proxy thread traceback shortly after failover and reload Status: Fixed Severity: 1 Catastrophic Description: Symptom: Crash as soon as the standby unit becomes primary Conditions: DHCP configured on ASA running 9.1(6)5 or 9.1(6)6. Workaround: Downgrade to 9.1(6)4 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(0.16), 100.14(0.30), 100.14(0.42) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9) Alert Type: Updated * Bug Id: CSCut67965 Title: CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA running 9.4.1 stops accepting IKEv2 connections. Conditions: ASA5545 running 9.4.1 with certificate authentication for Windows Mobile phones. The ASA may print a pki debug message "CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached". Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.28), 100.14(10.23), 100.14(5.17), 100.14(7.33), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCui27831 Title: Nested Traceback with No Crashinfo File Recorded on ACL Manipulation Status: Fixed Severity: 1 Catastrophic Description: Symptom: An Adaptive Security Appliance (ASA) or ASA Services Module (ASASM) may reload unexpectedly after an Access Control List (ACL) change when ACL Optimization feature is enabled with the object-group-search access-control command. The problem may also occur on the standby unit in a failover pair, which is performing bulk synchronization; in that case, the standby ASA may continue to reload repeatedly. Conditions: ACL Optimization enabled. Workaround: Disable ACL Optimization. More Info: Last Modified: 15-JAN-2016 Known Affected Releases: 9.1(2), 9.1(2.5) Known Fixed Releases: * 100.10(0.6), 100.8(27.85), 100.8(38.28), 100.8(40.16), 100.8(41.2), 100.8(60.34), 100.9(10.4), 100.9(6.32), 100.9(7.41), 9.0(3.100) Alert Type: Updated * Bug Id: CSCux33808 Title: ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16] Status: Fixed Severity: 2 Severe Description: Symptom: ASA may reboot when FIPS is enabled with different errors displayed on console: "ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]", ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:12:0:2:19] Conditions: ASA may reboot when FIPS is enabled with different errors displayed on console: "ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]", ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:12:0:2:19] Workaround: Reload ASA or must disable fips mode, 'no fips enable". Further Problem Description: Last Modified: 27-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.126), 100.15(0.111), 96.1(1.58), 96.2(1.109) Alert Type: Updated * Bug Id: CSCut40770 Title: Interface TLV to SFR is corrupt when frame is longer than 2048 bytes Status: Fixed Severity: 2 Severe Description: Symptom: Some configured ASA interfaces missing or not displayed from Firesight Management Center Conditions: Interface TLV ethernet frame greater than 2048 bytes. Usually occurs with multiple interfaces and sub-interfaces configured with lengthy names for each interface. Workaround: Enable jumbo-frame reservation on ASA. Further Problem Description: Last Modified: 28-JAN-2016 Known Affected Releases: 9.3(1.221), 9.4(2) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.80), 100.15(20.14), 100.15(20.15), 100.15(8.27), 100.16(0.8), 100.16(1.30) Alert Type: Updated * Bug Id: CSCuy01438 Title: ASA crash after upgrade to 9.5.2 Status: Open Severity: 2 Severe Description: * Symptom: Crash seen when performing an upgrade from 9.3.1 to 9.5.2 Conditions: There were no configuration changes made during the upgrade Workaround: NA Further Problem Description: Last Modified: 28-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux98913 Title: ASA: Traceback on the ASA unit related to DNS inspection Status: Open Severity: 2 Severe Description: * Symptom: ASA device traceback possibly related to the DNS configuration Conditions: DNS inspection enabled on the ASA unit Workaround: None at this time Further Problem Description: Last Modified: 28-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy03024 Title: ASA may traceback in idfw_proc after upgrade to 9.5(2) Status: Open Severity: 2 Severe Description: * Symptom: ASA may traceback in idfw_proc after upgrade to 9.5(2) Conditions: upgrade to 9.5(2) Workaround: Further Problem Description: Last Modified: 29-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux98621 Title: ASA may leak memory in 4096 byte bin on SSH Rekey Timeout Status: Other Severity: 2 Severe Description: * Symptom: Memory usage on ASA spikes suddenly to ~100%. The only way to recover memory is to reload the ASA. The memory leak happens in binsize 4096. ciscoasa# sh mem det | in POOL|statistics|4096 MEMPOOL_DMA_ALT1 POOL STATS: ----- fragmented memory statistics ----- ----- allocated memory statistics ----- 2048 2 4096 MEMPOOL_DMA POOL STATS: ----- fragmented memory statistics ----- 256 128 40960 ----- allocated memory statistics ----- MEMPOOL_GLOBAL_SHARED POOL STATS: ----- fragmented memory statistics ----- 4096 1 5568 ----- allocated memory statistics ----- 4096 5089356 20846002176 <===== High value. Conditions: All of the following conditions must be met. 1. There was an active SSH session on ASA. 2. ASA initiated the REKEY in the ssh session. 3. At the time of rekey, an interruptible command (ping, traceroute, real-time captures) was in progress. Or ASA was in process of writing some data on the SSH channel. 4. Client has stopped responding to the ASA, because of which the rekey initiated by the ASA will eventually timeout. Workaround: 1. Gracefully disconnect SSH sessions if you do not plan to use it for considerable time. 2. Keep the ssh timeout as low as possible. It will reduce the possibility of hitting the conditions. Recommended is the default value (5 minutes) Further Problem Description: ASA initiates SSH Rekey after every 55 min (approx) period. The output of "show ssh session detail" displays the time remaining before a Rekey will be initiated. ciscoasa# sh ssh sess det SSH Session ID : 0 Client IP : X.X.X.X Username : cisco SSH Version : 2.0 State : SessionStarted Inbound Statistics Encryption : aes128-ctr HMAC : md5 Bytes Received : 544 Outbound Statistics Encryption : aes128-ctr HMAC : md5 Bytes Transmitted : 5360 Rekey Information Time Remaining (sec) : 3292 <======== Data Remaining (bytes): 996141840 Last Rekey : 12:11:54.832 UTC Mon Jan 25 2016 Data-Based Rekeys : 0 Time-Based Rekeys : 0 Last Modified: 29-JAN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy01420 Title: ASA traceback in Thread Name: Unicorn Proxy Thread. Status: Open Severity: 2 Severe Description: * Symptom: ASA failover pair crashing in Thread Name: Unicorn Proxy Thread Conditions: ASA5585-SSP-60 running version 9.5.2. Workaround: No workaround Further Problem Description: Last Modified: 29-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut03495 Title: Cisco ASA DNS Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: * Symptom: A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper processing of DNS packets. An attacker could exploit this vulnerability by sending a request to an affected Cisco ASA appliance to cause it to generate a DNS request packet. The attacker would need to spoof the reply packet with a crafted DNS response. Note: Only traffic directed to the affected device can be used to exploit this vulnerability. This vulnerability affects Cisco ASA Software configured in routed or transparent firewall mode and single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns1 Conditions: See Security Advisory Workaround: See Security Advisory Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-6325 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 29-JAN-2016 Known Affected Releases: 100.13(0.35), 9.2(1) Known Fixed Releases: 100.11(0.57), 100.12(0.120), 100.13(0.61), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCux82168 Title: LDAP over SSL (LDAP-S) authentication failing Status: Open Severity: 2 Severe Description: Symptom: LDAP-secure over SSL (LDAP-S, port 636) authentication is failing for ASA releases 9.3.2, 9.4.x and 9.5.x. LDAP (non secure, port 389) authentication is functional Conditions: LDAP-over-SSL authentication for operations such as remote access VPN. Workaround: Use LDAP (non-secure, port 389) . Further Problem Description: Last Modified: 29-JAN-2016 Known Affected Releases: * 9.3(2), 9.4(1.112), 9.4(2), 9.5(1.4), 9.5(1.5), 9.5(2), 96.1(1.58) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux23804 Title: ASA: Block depletion due to syslog server unreachable on port channel Status: Terminated Severity: 2 Severe Description: * Symptom: Block 256 and 1550 get depleted due to syslog server configured on port channel becomes unreachable. Issue is not seen on 9.x . Only 8.4 is affected by this bug. Conditions: UDP syslog server configured on port channel becomes unreachable. Workaround: No work around to prevent this issue from happening. Use physical interface to configure syslog server Further Problem Description: Last Modified: 29-JAN-2016 Known Affected Releases: 8.4(7.26) Known Fixed Releases: Alert Type: New Bug Id: CSCuy05714 Title: ASA Interfaces on SSP Module 1 flap when SFR software is rebooted Status: Open Severity: 2 Severe Description: Symptom: If the Firepower Software is rebooted on the SSP module on a 5585, then the interfaces on that SSP module will bounce for about 30 seconds. This causes traffic on those interfaces to get dropped, and can cause a possible outage. Conditions: Firepower SSP Module installed on 5585 chassis Active traffic on interfaces on the module (ASA SSP interfaces begin with 0/ and SFR SSP interfaces begin with 1/) Workaround: 1) Don't use Interfaces on the SSP Module 1 with active traffic while rebooting the Firepower software. 2) If upgrading or rebooting a failover pair, perform the action on the standby, wait until it comes up, and then force it to active so that there is no downtime due to the active ASA flapping interfaces. Further Problem Description: Last Modified: 30-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy05949 Title: ASA: MAC address changes on active context when WRITE STANDBY is issued Status: Open Severity: 2 Severe Description: * Symptom: In an Active-Active HA setup, when one group is active on the secondary ASA and a write standby command is issued, the mac-address changes for both the active and standby contexts in that group. Conditions: -multi-context HA pair -the write standby command should be issued on the active context of the secondary ASA. Workaround: Further Problem Description: Last Modified: 30-JAN-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux40311 Title: ASA: Watchdog traceback without crashinfo on 100% memory usage Status: Terminated Severity: 2 Severe Description: * Symptom: ASA reloads without writing any crashinfo Conditions: ASA's memory usage at the time of reload was 100% Workaround: Further Problem Description: If ASA reloads due to software error, it writes a crashinfo to the disk. But in high memory usage conditions, ASA may fail to generate crashinfo. Note that this bug is only for investigation of the crash, irrespective of the source of high memory usage. Last Modified: 30-JAN-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv20449 Title: Traceback in Thread Name: ssh when using capture or continuous ping Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: ssh Conditions: The crash happens when a rare condition is hit when two things are happening simultaneously. They are: 1. An interruptible command is in progress in a SSH session. Examples are ping, traceroute, real-time captures etc. 2. ASA and SSH Client are in process of rekeying the SSH connection. This rekey would normally take place approximately after every 60 minute period in an SSH session. Workaround: Avoid running interruptible commands in a SSH session which has been active for over 50 minutes. Further Problem Description: Last Modified: 01-FEB-2016 Known Affected Releases: 9.1(6), 9.1(6.1), 9.1(6.4), 9.4(1) Known Fixed Releases: * 100.13(0.127) Alert Type: Updated * Bug Id: CSCux03626 Title: Traceback in thread name: Unicorn Proxy Thread Status: Fixed Severity: 2 Severe Description: Symptom: ASA running code 9.5(1)4 faced a Traceback in Unicorn Proxy Thread. Conditions: Workaround: Further Problem Description: Last Modified: 31-JAN-2016 Known Affected Releases: 9.5(1.4) Known Fixed Releases: * 100.13(0.127), 96.1(1.59), 96.2(1.110) Alert Type: Updated * Bug Id: CSCux27903 Title: BOSC Runtime Buffer overflow error detected while executing OSPFV3 Tests Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA crashes with BOSC Runtime Buffer overflow error Conditions: OSPFv3 configured and crafted packets are sent to the ospf interface Workaround: None Further Problem Description: System Affected Last Modified: 31-JAN-2016 Known Affected Releases: 100.16(0.7) Known Fixed Releases: * 100.13(0.127), 96.1(1.62), 96.2(1.111) Alert Type: New Bug Id: CSCuy06600 Title: ASA crash in Kerberos (KCD) process during Clientless WebVPN operations Status: Open Severity: 2 Severe Description: Symptom: ASA crashed in Kerberos (KCD) process during Clientless WebVPN operations. Conditions: Kerberos (KCD) is used for Clientless WebVPN. Workaround: none Further Problem Description: Last Modified: 01-FEB-2016 Known Affected Releases: 9.0(4.29) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtz98516 Title: Observed Traceback in SNMP while querying GET BULK for 'xlate count' Status: Fixed Severity: 2 Severe Description: Symptom: An ASA firewall may crash when being polled by SNMP in rare circumstances. Conditions: This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID: 1.3.6.1.4.1.9.10.77.1.2.1 Workaround: Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the OID's being polled by your SNMP monitor station to not include the affected OIDs. Last Modified: 31-JAN-2016 Known Affected Releases: 100.7(22.1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.127), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13) Alert Type: Updated * Bug Id: CSCuq97035 Title: WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7 Status: Fixed Severity: 2 Severe Description: Symptom: Citrix 5/6 application doesn't launch with IE10 Conditions: Windows 7 SP1, IE10, Citrix ICA client 14.1.0 32-bit Workaround: Use IE11 or FF 28+ Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.87), 100.14(0.67), 100.14(16.8), 100.14(5.32), 100.15(0.20), 100.15(1.35), 100.15(10.4), 100.15(2.66) Alert Type: Updated * Bug Id: CSCuu56912 Title: ASA change non-default port to 443 for https traffic redirected to CWS Status: Fixed Severity: 2 Severe Description: Symptom: ASA change non-default port to 443 for https traffic redirected to CWS When user type in web browser url htts://X.X.X.X:YYYY debug scansafe generates ... Complete Connect Method (513) CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 ... For traffic captured on outside interface towards CWS tower in 'Follow TCP Stream' statistic Wireshark display CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 Conditions: ASA is configured to redirect non-default port for https traffic to CWS. Workaround: NONE Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.0, 9.1, 9.4 Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.13(29.28), 100.14(0.39), 100.14(16.1), 100.14(5.19), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu88437 Title: ASA5506-X:copy file operations fail with jumbo-frame-reservation config Status: Other Severity: 2 Severe Description: Symptom: Copy file operations fail with error when running these images (9.4.1.1, 9.4.1.2) on a ASA-5506-X, when the config is enabled for "jumbo-frame reservation". The error displayed is as below: "Error writing disk0:/ (Cannot allocate memory)" It doesn't matter what file you operate on , an asdm or an lfbff image , and whether you are copying ftp/tftp to disk0 or just simply copying a file on disk0://file to disk0://file1. I used asdm-732.bin image for this operation: "copy disk0:/asdm-732.bin disk0:/asdm1", which errors out with above error. Conditions: Copying file operations to disk0 on a ASA5506-X. Workaround: Remove the "jumbo-frame reservation" CLI config, reboot, and then copy operations succeed.Re-enable the CLI after copy operations are complete. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(0.47) Known Fixed Releases: * 100.13(0.81), 100.14(0.48), 100.14(0.49), 100.14(0.66), 100.14(16.1), 100.14(16.3), 100.14(5.23), 100.14(5.26), 100.14(7.42), 100.15(0.17) Alert Type: Updated * Bug Id: CSCur68860 Title: Linux Kernel raw_cmd_copyout() Local Privilege Escalation Vulnerabilit Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-1738 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-1738 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw09578 Title: ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test Status: Fixed Severity: 2 Severe Description: Symptom: ASA 5585-20 in Failover Active/Standby assembly Traceback Conditions: Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.224) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.14(5.34), 100.15(0.32), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15) Alert Type: Updated * Bug Id: CSCuw12844 Title: ASAv: Support for VFAT config_drive_format in openstack Status: Fixed Severity: 2 Severe Description: Symptom: ASAv not able to load config file at the time of instantiation with config-drive format VFAT in openstack Conditions: Openstack provides options to append a config file to ASAv and put it into config-drive and made available to VM. There are two config drive options in openstack: ISO9660 VFAT With "ISO9660" format this takes the form of virtual CDROM. This is supported currently in ASAv. With "VFAT" format this takes the form of virtual disk drive. This is not supported currently in ASAv. Workaround: None Further Problem Description: Openstack provides options to append a config file to ASAv and put it into config-drive and made available to VM. There are two config drive options in openstack: ISO9660 VFAT With "ISO9660" format this takes the form of virtual CDROM. This is supported currently in ASAv. With "VFAT" format this takes the form of virtual disk drive. This is not supported currently in ASAv. This was fixed as part of DDTS below and integrated into multiple releases. http://cdetsweb-prd.cisco.com/apps/dumpcr?identifier=CSCuu86317&parentprogram=QDDTS. Other commits have broken the fix. Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.202), 9.5(1.200) Known Fixed Releases: * 100.14(0.76), 100.14(16.9), 100.14(5.33), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2), 100.16(1.2) Alert Type: Updated * Bug Id: CSCuv10258 Title: ASA5505 permanent base license, temp secplus, failover, vlan count issue Status: Fixed Severity: 2 Severe Description: Symptom: Show version display 3 VLANs license instead of 20 if base license, timebased for security plus license are combined on ASA5505 platform after failover is enabled Conditions: Three combined condition: 1. Permanent base license 2. Timebased Security Plus License 3. Failover is enabled Workaround: No known workaround Further Problem Description: The problem exhibit itself after a reboot. Looks like a variant of CSCtf91862 Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.34), 100.15(2.73), 100.15(3.17) Alert Type: Updated * Bug Id: CSCur99653 Title: Codenomicon HTTP-server suite may cause crash Status: Fixed Severity: 2 Severe Description: Symptom: Codenomicon HTTP-server suite may cause crash Conditions: Codenomicon server testing Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.12(0.108), 100.13(1.10), 9.3(1.113), 9.3(3.227) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuu78835 Title: Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 Status: Fixed Severity: 2 Severe Description: Symptom: On the latest atlassian version of 6.4.5 for Confluence, we have following issues when using it over clientless SSL: 1. For a new "create content" page, only the title of the page can be added, the body of the page is not editable. 2. When trying to add a comment, the body of the comment is missing, so cannot add anything. Conditions: Using Atlassian version 6.4.5 for Confluence Workaround: Use the older versions of Atlassian Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.8(40.67), 9.2(2), 9.3(2), 9.3(3.229), 9.4(1) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCtg74172 Title: Can get around dynamic-filter by using caps in domain name Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA BTF feature should not be case sensitive. User can get around BTF feature with using CAP letters in domain names. Conditions: Configuring whilte and black lists for BTF Workaround: Not known PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.2(2.12) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.14(16.8), 100.14(5.32), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45) Alert Type: Updated * Bug Id: CSCuv43902 Title: ASA: Watchdog Traceback with Thread Name:- SXP CORE Status: Fixed Severity: 2 Severe Description: Symptom: ASA device traceback in thread name:- SXP CORE Conditions: ASA device configured with the trust sec configuration. Workaround: No workaround as of now Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.12(0.138), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83) Alert Type: Updated * Bug Id: CSCuv88785 Title: RA validation failed when CA/subCA contains name constraints Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension ASA fails with the error: CRYPTO_PKI: Found a subject match - inserting the following cert record into certList CERT-C: I pkixpath.c(2728) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received CRYPTO_PKI: Unable to read CA/RA certificates.Error processing auth response. Unable to send PKI request CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1), 9.4(1.100), 9.4(1.201) Known Fixed Releases: * 100.13(0.100), 100.14(0.74), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuc12967 Title: OSPF routes were missing on the Standby Firewall after the failover Status: Fixed Severity: 2 Severe Description: Symptom: Loss of OSPF routes from the Standby device after the failover Conditions: FW1 and FW2 are in HA both have the OSPF routes Sync. with each other. When FW1 failover to FW2, FW1 is missing the OSPF routes. Workaround: No workaround Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(3.9), 8.4(4.1) Known Fixed Releases: * 100.7(13.104), 100.7(6.104), 100.8(0.242), 100.8(11.42), 100.8(27.20), 100.8(33.27), 100.8(34.1), 100.8(38.1), 100.8(39.1), 100.9(0.6) Alert Type: Updated * Bug Id: CSCut88287 Title: ASA Traceback in vpnfol_thread_msg Status: Fixed Severity: 2 Severe Description: Symptom: ASA device Traceback in vpnfol_thread_msg Conditions: ASA device running in Active/Standby HA Pair. Workaround: NONE Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.79), 100.13(29.28), 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCur68867 Title: Linux Kernel shmem_fallocate() Local Denial of Service Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-4171 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:W/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-4171 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw44744 Title: Traceback in WebVPN rewriter Status: Fixed Severity: 2 Severe Description: Symptom: Traceback while processing WebVPN connections in the rewriter Conditions: ASA 5585 running special release 9.3.3.225. Workaround: None. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4), 100.16(1.10) Alert Type: Updated * Bug Id: CSCut75983 Title: ASA Traceback in PPP Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ppp_timer_thread. Conditions: ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA) Workaround: none Further Problem Description: ASA reloaded on its own. Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(7) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuv72064 Title: Network Time Protocol Daemon Authentication Bypass Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-9296 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-9296 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu27334 Title: ASA: Traceback with Thread Name - AAA Status: Fixed Severity: 2 Severe Description: Symptom: ASA device Traceback with Thread Name:- AAA Conditions: ASA device running ASA 9.1(4) version Workaround: Upgrade to 9.1.6.4 or later. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuu07799 Title: Cisco ASA DNS Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper processing of DNS packets. An attacker could exploit this vulnerability by sending a crafted request to an affected Cisco ASA device to cause it to generate a DNS request packet. The attacker would need to spoof the reply packet with a crafted DNS response. Note: This vulnerability can be exploited only by traffic that is directed to the affected device. This vulnerability affects Cisco ASA Software configured in routed or transparent firewall mode and single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns2 Conditions: See Security Advisory Workaround: See Security Advisory Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6.3) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.36), 100.14(7.30) Alert Type: Updated * Bug Id: CSCut92194 Title: ASA traceback in Thread Name: CP Processing Status: Fixed Severity: 2 Severe Description: Symptom: ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing. Conditions: ASA is configured for Websense url filtering. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCur07369 Title: SXP Version Mismatch Between ASA & N7K with clustering Status: Fixed Severity: 2 Severe Description: Symptom: SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol. Conditions: (1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit. Workaround: - Upgrade SXP peer to run SXP version 2 or above, or - Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.143), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCut56198 Title: Clustering: Traceback in DATAPATH with transparent FW Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback occurred on one of the slave units in a 4 node cluster in the DATAPATH thread. Stack trace indicates that the ASA was doing a transparent firewall operation. Conditions: Cisco ASA running release 9.2.1.213 and configured as a cluster slave with multi-context configuration which included mixed-mode contexts. Workaround: None Further Problem Description: Please see Eng-note. Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(1.213), 9.3(2.108) Known Fixed Releases: * 100.11(0.57), 100.11(0.58), 100.12(0.120), 100.12(0.121), 100.13(0.61), 100.13(21.12), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.7) Alert Type: Updated * Bug Id: CSCur20322 Title: ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment Status: Fixed Severity: 2 Severe Description: Symptom: ASA in an L2 cluster environment causes a DATAPATH traceback. The unit comes back up but will not join the cluster and results in an RPC_SYSTEMERROR failure. Manual joining into the cluster causes an immediate crash after entering "enable". Conditions: ASA operating in 9.2.1 code and in multi-context. ASA in a cluster L2 environment. Workaround: No workaround at this time. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Alert Type: Updated * Bug Id: CSCuu86195 Title: conn-max counter is not decreased accordingly Status: Fixed Severity: 2 Severe Description: Symptom: Problem description: - after the maximum number of TCP connections for a class-map are exceeded the counter for the active connections("current conns") starts to decrease into negative values - all the new connections that are matching our configured policy are dropped even if we are not exceeding the number of configured connections %ASA-3-201011: Connection limit exceeded -36/30 for input packet from 10.100.48.4/54675 to 172.29.41.10/8443 on interface in Similar scenarios: - legitimate connections are dropped when the counter: - "current conns" is decreased into negative values; Ex: -36/30 - "current conns" is not dropping to zero(after all the connections are closed) and is stuck to a random value; Ex: 26/30 --> just 4 new connectios are allowed - "current conns" is going over the maximum value and is not dropping to zero(after all the connections are closed); Ex: 32/30 Conditions: issue observed in ASA software version 9.2.2 and 9.2.24(tested versions) just for TCP traffic Workaround: N/A Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(2), 9.2(2.4) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCuv57389 Title: ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) Status: Fixed Severity: 2 Severe Description: Symptom: An ASA running running 9.1(6.4) or 9.1(6.6) releases will fail to authenticate IKEv2/IPSec sessions using RSA-SIG for authentication. The following error is generated in the IKEv2 debugs: IKEv2-PROTO-2: (1): Verify peer's authentication data IKEv2-PLAT-1: (1): Failed to verify signature IKEv2-PROTO-1: (1): Failed to compute or verify a signature Conditions: ASA running 9.1(6.4) or 9.1(6.6) and authenticating IKEv2/IPSec sessions using RSA-SIG. This has only been observed when talking to an IOS Lan-to-Lan peer. Tests show IKEv2 Cert Auth with AnyConnect and ASA Lan-to-Lan peers is successful. Workaround: A downgrade to 9.1(6.1) or 9.1(6) corrects the behavior. Preshared keys can also be used. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6.4), 9.1(6.6), 9.1(6.8) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.14(16.8), 100.14(5.32), 100.15(0.25), 100.15(16.3), 100.15(17.1), 100.15(3.44), 100.15(6.29) Alert Type: Updated * Bug Id: CSCuv25327 Title: bgp ipv6 neighborship fails with ASA after hard reset on router Status: Fixed Severity: 2 Severe Description: Symptom: bgp ipv6 neighborship fails with ASA after hard reset on router Conditions: ASA with 9.5.1 or above has this issue. Workaround: Reset connection on ASA using clear ip bgp * command. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(0.61) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuu39615 Title: eglibc 2.18 is missing upstream fix #15073 Status: Fixed Severity: 2 Severe Description: Symptom: ASA could crash due to heap corruption Conditions: Heavy memory allocation Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2), 9.3(2.2) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.16), 100.13(29.28), 100.14(0.30), 100.14(16.1), 100.14(5.19), 100.14(7.38), 100.15(0.13), 100.15(1.18) Alert Type: Updated * Bug Id: CSCuw24664 Title: ASA:Traceback in Thread Name:- netfs_thread_init Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in netfs_thread_init Conditions: ASA device configured with SSL webvpnconfiguration Workaround: None at this time Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.113), 100.13(32.1), 100.14(0.79), 100.14(5.34), 100.15(0.53), 100.15(17.23), 100.15(3.76), 100.15(8.18) Alert Type: Updated * Bug Id: CSCuu18989 Title: ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit Status: Fixed Severity: 2 Severe Description: Symptom: It was noticed that when the maximum number of simultaneous connection limit is set, ASA might drop the connection with the error message ' %ASA-3-201011: Connection limit exceeded' even when it is clearly not close to hitting the maximum limit specified. Conditions: ASA 5585 running 9.4(1) version code Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.83), 100.14(0.62), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.28), 100.15(10.3), 100.15(2.59) Alert Type: Updated * Bug Id: CSCur51645 Title: Linux Kernel ptrace Local Privilege Escalation Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-4699 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-4699 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu45812 Title: asa Traceback with Thread Name idfw_proc Status: Fixed Severity: 2 Severe Description: Symptom: asa Traceback with Thread Name idfw_proc Conditions: Workaround: no workaround available currently Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54) Alert Type: Updated * Bug Id: CSCut29845 Title: Linux Kernel Netlink Message Security Bypass Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0181 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 1.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0181 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv10938 Title: 'redistribute' cmds under 'router eigrp' removed on deleting any context Status: Fixed Severity: 2 Severe Description: Symptom: 'redistribute' commands under 'router eigrp' removed from unrelated contexts when deleting any context with EIGRP configured and redistribution enabled. Error of following format is seen on ASA's console: ERROR: unable to locate route-map Conditions: 1. ASA is multiple context mode. 2. More than one context on the ASA has EIGRP enabled with redistribution configured. 3. Issue seen on deleting any of the contexts that meet the criteria in point 2 above using command "no context ". Workaround: None apart from re-adding all those commands back manually. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuw36853 Title: ASA: ICMP error loop on cluster CCL with Interface PAT Status: Fixed Severity: 2 Severe Description: Symptom: Elevated CPU may be observed on 2 or more units of an ASA cluster. Packet captures on the cluster control link will show ICMP error packets looping continuously between the units displaying high CPU conditions. Conditions: 1. ASA in Layer-2 cluster mode. 2. PAT configured. 3. ICMP error packet is received on a unit where that unit is the directory for embedded payload flow. 4. Embedded payload of the ICMP error packet matches an existing xlate entry but doesn't match any connections. The owner of the PAT address of the xlate is a different unit than the one where the packet is received. Workaround: With Interface PAT, workaround is to deny ICMP on the ASA's interface using the 'icmp' command. With a PAT pool, workaround is to deny ICMP error packets on the interface ACL. Or just add xlate per-session configuration. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.3), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCuv70932 Title: FO: ASAv crashed while syncing during upgrade from 9.4.1 to 9.5.1 Status: Fixed Severity: 2 Severe Description: Symptom: FO: ASAv crashed while syncing during upgrade from 9.4.1 to 9.5.1 Conditions: Upgrade from 9.4.1 to 9.5.1 with huge customer configuration. Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.104), 100.14(0.76), 100.15(0.29), 100.15(1.95), 100.15(16.7), 100.15(17.10), 100.15(3.55), 100.15(8.15) Alert Type: Updated * Bug Id: CSCur68854 Title: Linux Kernel compat_sys_recvmmsg Function Local Privilege Escalation V Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0038 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0038 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv01177 Title: ASA: traceback in IDFW AD agent Status: Fixed Severity: 2 Severe Description: Symptom: ASA5585 in failover pair may traceback in IDFW process. Conditions: ASA running IDFW features. Workaround: Disable IDFW. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCur54853 Title: Linux Kernel NF_CONNTRACK Local Information Disclosure Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-1690 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-1690 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw59388 Title: Unable to load ASDM to a Context in Multiple Context Mode Status: Fixed Severity: 2 Severe Description: Symptom: Unable to load ASDM to a context when ASA is in Multiple Context Mode. Conditions: ASA Running In multiple Context Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.15(0.72), 9.5(1.53), 99.1(3.147), 99.1(3.182), 99.1(3.95) Known Fixed Releases: * 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20), 9.5(1.99), 9.5(2), 99.1(3.186) Alert Type: Updated * Bug Id: CSCut44082 Title: EIGRP configuration not being correctly replicated between failover ASAs Status: Fixed Severity: 2 Severe Description: Symptom: We have found that the 'no passive-interface (interface-name)' and the 'distribute-list (distr-list-name) out interface (interface-name)' commands are not being correctly replicated between a pair of ASA firewalls configured in failover. Conditions: This issue occurs just when the active FW is replicating the configuration to the standby unit in the following two scenarios: 1.- When issuing the 'write standby' in the active FW. OR 2.- When after rebooting the standby unit, the active unit automatically replicates the configuration to the standby unit. (ASA-1/pri/act# Beginning configuration replication: Sending to mate. End Configuration Replication to mate) NOTE: In the recreation lab just disappears the distribution list but in the production environment one of the 'no passive-interface' commands disappears too. Workaround: While running ASA codes 9.2(2)4, 9.2(3) and 9.3(2): 1.- Avoid using the 'write standby' command in the active ASA and just use the 'write memory' or the 'copy running-config startup-config'. 2.- If for whatever reason the standby unit is being rebooted, then you will need to manually add the EIGRP missing configuration lines in the active unit in order to allow the standby unit to receive the whole needed EIGRP configuration. I already confirmed this EIGRP replication issue is not happening when running codes 8.6(1), 9.1(1) and 9.1(5), then downgrading to these ASA codes is another workaround. Further Problem Description: Here the detail EIGRP configuration for our testing: ASA-1/pri/act(config)# router eigrp 7 ASA-1/pri/act(config-router)# no auto-summary ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# distribute-list NO-PUB-ROUTES-OUT out interface $ ASA-1/pri/act(config-router)# network 10.1.4.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.50.16 255.255.255.248 ASA-1/pri/act(config-router)# network 10.1.94.0 255.255.254.0 ASA-1/pri/act(config-router)# network 10.1.97.0 255.255.255.128 ASA-1/pri/act(config-router)# network 10.6.254.128 255.255.255.128 ASA-1/pri/act(config-router)# network 198.209.254.0 255.255.255.0 ASA-1/pri/act(config-router)# network 198.209.255.0 255.255.255.0 ASA-1/pri/act(config-router)# passive-interface default ASA-1/pri/act(config-router)# no passive-interface outside ASA-1/pri/act(config-router)# no passive-interface inside ASA-1/pri/act(config-router)# no passive-interface dmvpndmz ASA-1/pri/act(config-router)# no passive-interface stldcdmz ASA-1/pri/act# sh run router router eigrp 7 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stldcdmz network 10.1.4.0 255.255.254.0 network 10.1.94.0 255.255.254.0 network 10.1.97.0 255.255.255.128 network 198.209.254.0 255.255.255.0 network 198.209.255.0 255.255.255.0 network 10.1.50.16 255.255.255.248 network 10.6.254.128 255.255.255.128 passive-interface default no passive-interface inside no passive-interface dmvpndmz no passive-interface stldcdmz no passive-interface outside ASA-1/pri/act# sh run all router router eigrp 7 no auto-summary distance eigrp 90 170 distribute-list NO-PUB-ROUTES-OUT out interface inside distribute-list NO-PUB-ROUTES-OUT out interface dmvpndmz distribute-list NO-PUB-ROUTES-OUT out interface stl Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(2.4), 9.2(3), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38) Alert Type: Updated * Bug Id: CSCuv07106 Title: ASATraceback in ssh whilst adding new line to extended ACL Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ssh whilst adding an extended ACL Conditions: Making a change to an ACL that is part of class-map which is then applied under policy-map Workaround: 1. Remove any ethertype ACL if any configured. e.g. no access-list bpdu-deny ethertype deny bpdu 2. Do modification/add new ACE to ACL associated with class-map 3. Reapply ethertype removed and with its relevant configuration Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(7.22), 8.4(7.27), 8.4(7.28) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCut39985 Title: Per-session PAT RST sent to incorrect direction after closing session Status: Fixed Severity: 2 Severe Description: Symptom: When Per-session PAT is configured, RST,ACK is sent to Non close initiator side after closing TCP session. It should be sent to close initiator side(The device which send FIN first). xlate per-session permit tcp any4 any4 no xlate per-session deny tcp any4 any4 Conditions: Per-session PAT is configured like below xlate per-session permit tcp any4 any4 no xlate per-session deny tcp any4 any4 Workaround: Disable Per-session PAT xlate per-session deny tcp any4 any4 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1 Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.65), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCuv51649 Title: SSL : Unable to Join nodes in Cluster Status: Fixed Severity: 2 Severe Description: Symptom: ASA slave is unable to join cluster and fails with the error "cluster_ccp_make_rpc_call failed to clnt_call. msg is CCP_MSG_REGISTER". Debugs with "debug ssl 255" show the error message - error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 Conditions: Attempting to join the cluster on ASA slave using "enable" command fails with an rpc error message Workaround: Remove the RC4 cipher using either of the following commands - ssl cipher default custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA" ssl cipher tlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA" ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA" OR use the older version of the same command - ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 Then, attempt to join the cluster again Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.15(3.19) Known Fixed Releases: * 100.11(0.66), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.33), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuu87823 Title: ASAv traceback in DATAPATH when used for WebVPN Status: Fixed Severity: 2 Severe Description: Symptom: ASAv traceback in DATAPATH when used for WebVPN Conditions: ASAv running release 9.4.1 and configured for WebVPN Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.143), 100.13(0.95), 100.13(29.28), 100.14(0.71), 100.14(16.5), 100.14(5.30), 100.15(0.24), 100.15(1.68), 100.15(16.3) Alert Type: Updated * Bug Id: CSCus32005 Title: ASA - Traceback in thread name SSH while applying BGP show commands Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in thread name SSH during performing BGP show commands. Conditions: ASA running 9.2.2.4 Workaround: not known Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.13(29.28), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12) Alert Type: Updated * Bug Id: CSCuv39775 Title: ASA cluster-Incorrect "current conns" counter in service-policy Status: Fixed Severity: 2 Severe Description: Symptom: Incorrect "currents conns" counter on service-policy ASA cluster. Does not match up with the current connection "show connection count" on the unit, will lead to traffic drops in the service-policy once the limit is hit in the service-policy. Conditions: 1) ASA in a cluster setup. 2) Applies to both single or multiple mode. 3) Typical config : class connection_limit set connection conn-max 500000 embryonic-conn-max 2000 per-client-max 200 per-client-embryonic-max 50 Workaround: None. Further Problem Description: CLSTR1-Primary/ASAFW# cluster exec show service-policy | i conns CLSTR1-Primary(LOCAL):************************************************ current embryonic conns 3, current conns 5732, drop 0 CLSTR1-Secondary:******************************************************* current embryonic conns 1, current conns 88720, drop 0 <<<< CLSTR1-Primary/ASAFW# cluster exec show conn count CLSTR1-Primary(LOCAL):************************************************ 5823 in use, 36602 most used Cluster stub connections: 3300 in use, 30142491 most used CLSTR1-Secondary:******************************************************* 3270 in use, 120262 most used <<<<<<<<<<<<<< Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(2), 9.2(2.4), 9.3(3.2) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1) Alert Type: Updated * Bug Id: CSCur68870 Title: Linux Kernel SCTP NULL Pointer Dereference Remote Denial of Service Vu Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-5077 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-5077 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur68871 Title: QEMU L2 Table Size Validation Integer Overflow Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0222 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0222 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw29566 Title: ASA5585 9.5(1): Support Failover Lan on Management0/0 port Status: Fixed Severity: 2 Severe Description: Symptom: Post upgrade to 9.5(1) version code, ASA does not permit configuring Management0/0 port as a Failover lan interface. Conditions: Observed on ASA 5585-X version 9.5(1) running Failover Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4), 100.16(1.10), 9.5(1.99), 9.5(2) Alert Type: Updated * Bug Id: CSCux88237 Title: ASA crash in DATAPATH thread Status: Open Severity: 2 Severe Description: * Symptom: ASA in cluster environment crashes in DATAPATH Conditions: ASA in cluster environment crashes in DATAPATH Workaround: None Further Problem Description: Last Modified: 19-JAN-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux86728 Title: ASA 8.4(7)23 traceback in Thread Name: DATAPATH due to double block free Status: Open Severity: 2 Severe Description: * Symptom: crash in Thread Name DATAPATH triggered by a double block free Conditions: ASA5585-SSP-10 running Software Version 8.4(7)23 Workaround: N/A Further Problem Description: Last Modified: 19-JAN-2016 Known Affected Releases: 8.4(7.23) Known Fixed Releases: Alert Type: New Bug Id: CSCux90497 Title: Traceback in unicorn-proxy:aware_parse_req_headers with SSL stress test Status: Other Severity: 2 Severe Description: Symptom: ASA may Traceback in unicorn-proxy:aware_parse_req_headers with SSL VPN stress test Conditions: SSL VPN stress test Workaround: none Further Problem Description: Last Modified: 21-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux56111 Title: "no ipv6-vpn-addr-assign" CLI not working Status: Fixed Severity: 2 Severe Description: Symptom: When AnyConnect clients connect, they always request both IPv4 and IPv6 addresses even if IPv6 is not configured. A session will fail if the IPAA subsystem doesn't return a response to the request, even though there's no need for the request in the first place if IPv6 is not configured. Conditions: Failure can occur even when "no ipv6-vpn-addr-assign " are set. Workaround: none Further Problem Description: Last Modified: 20-JAN-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.109), 100.16(0.19), 100.8(40.111), 9.0(4.210), 9.1(6.113), 9.4(2.5), 96.1(1.52) Alert Type: Updated * Bug Id: CSCux92403 Title: Standby traceback on watchdog with write standby Status: Other Severity: 2 Severe Description: * Symptom: Crash may happen when doing show command with pager on standby unit and then write standby on active unit Conditions: Workaround: Further Problem Description: Last Modified: 21-JAN-2016 Known Affected Releases: 9.5(1.175) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux33726 Title: ASA traceback - WebVPN CIFS_file_rename_remove operations Status: Open Severity: 2 Severe Description: ASA may traceback with high stress Clientless SSL VPN CIFS-RAMFS file operations (browse, add, remove, delete). Symptom: Conditions: ASA may traceback with Clientless SSL VPN CIFS-RAMFS file operations (browse, add, remove, delete) when perfromed under a high stressful conditions. Workaround: Clientless SSL VPN and File operations. Further Problem Description: Last Modified: 21-JAN-2016 Known Affected Releases: * 100.13(32.2), 8.4, 9.1(6.107), 9.1(6.111), 9.1(6.112), 9.3(3.227), 9.3(3.229), 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux70784 Title: ASA Crash while viewing large ACL Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload when viewing an ACL that has a lot of remarks in the configuration. In testing, this appears to happen when running a command such as 'show access-list' Conditions: This has been seen with a configuration with over 150k remarks present in the configuration. Workaround: Do not use many remarks or clean up the existing remark to avoid significant numbers of remarks. Further Problem Description: Last Modified: 22-JAN-2016 Known Affected Releases: 9.4(1), 9.5(2) Known Fixed Releases: * 100.13(0.125), 100.15(0.110), 96.1(1.52), 96.2(1.104) Alert Type: Updated * Bug Id: CSCuw92005 Title: Thread Name: DATAPATH-17-3095: Unit reboots when joining cluster Status: Fixed Severity: 2 Severe Description: Symptom: ASA running 9.4.2 may reboot when attempting to join a cluster Conditions: ASA configured for Cluster Workaround: None at this time Further Problem Description: Last Modified: 23-JAN-2016 Known Affected Releases: 9.4(2), 9.5(1) Known Fixed Releases: * 100.13(0.124), 100.15(0.109), 100.16(0.19), 9.4(2.191), 96.1(1.52), 96.2(1.103) Alert Type: Updated * Bug Id: CSCux69987 Title: ASA: Crash on ASA device after adding FQDN objects in NAT rule Status: Fixed Severity: 2 Severe Description: Symptom: ASA device crash after adding FQDN objects in NAT rules Conditions: ASA device configured with NAT rule referencing FQDN objects Workaround: We should not use FQDN objects in NAT statements Further Problem Description: Last Modified: 24-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.125), 100.15(0.110), 100.16(0.20), 96.1(1.53), 96.2(1.104) Alert Type: Updated * Bug Id: CSCux85863 Title: FIPS: Continuous RNG test can mistakenly report an error Status: Fixed Severity: 2 Severe Description: Symptom: The FIPS Continuous RNG test can incorrectly fail and reset the ASA. Conditions: This condition appears to be triggered by a race condition under load. Workaround: Disabling FIPS mode will prevent the issue; however, that may not be a feasible option in some cases. There is currently no other workaround. Further Problem Description: Last Modified: 24-JAN-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: * 100.13(0.124), 100.15(0.110), 100.16(0.20), 96.1(1.53), 96.2(1.104) Alert Type: Updated * Bug Id: CSCuf57232 Title: XMLSoft libxml2 CVE-2012-5134 CVE-2012-2807 CVE-2013-0338 Status: Fixed Severity: 2 Severe Description: * <b>Symptoms:</b> This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-3102 CVE-2011-3919 CVE-2012-2807 CVE-2012-5134 CVE-2013-0388 These vulnerability have been analyzed by the ASA business unit and the product is not impacted <b>Conditions:</b> Device with default configuration. <b>Workaround:</b> Not currently available. <b>Further Problem Description:</b> Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-JAN-2016 Known Affected Releases: 8.4, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.3(2), 9.3(2.200) Known Fixed Releases: 100.7(13.115), 100.7(6.114), 100.8(27.63), 100.8(50.40), 100.9(0.36), 100.9(4.5), 100.9(6.16), 100.9(7.9), 8.4(5.99), 8.4(6) Alert Type: Updated * Bug Id: CSCub84164 Title: ASA traceback in threadname Logger Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in threadname Logger Conditions: ASA traceback while sending syslogs to the ssh session via the "logging monitor debug" command Workaround: N/A Last Modified: 25-JAN-2016 Known Affected Releases: 8.2(3), 8.4(4.1) Known Fixed Releases: * 100.7(13.109), 100.7(6.105), 100.8(27.26), 100.8(34.1), 100.8(38.4), 100.8(50.9), 100.9(0.17), 100.9(4.1), 8.2(5.39), 8.4(5.5) Alert Type: New Bug Id: CSCux98029 Title: ASA traceback in thread name :DATAPATH-3-3196 Status: Open Severity: 2 Severe Description: Symptom: SIP inspection enabled on the ASA Conditions: Workaround: NA Further Problem Description: The ASA was in Failover. The Primary Active ASA had a crash file after which it failed over to the Secondary . No Configuration changes were made when the crash occurred. Last Modified: 26-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux97932 Title: ASA: Traceback in Thread name:- CTM Daemon with no crashinfo generated Status: Open Severity: * 2 Severe Description: Symptom: ASA Device Tracback with Thread Name:- CTM Daemon without any crashinfo being generated Conditions: No specific conditions known so far Workaround: No Workarounds at this time. Further Problem Description: Last Modified: 27-JAN-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: Alert Type: New Bug Id: CSCux71867 Title: ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2 Status: Open Severity: 2 Severe Description: Symptom: Currently, the ASA prefers a Suite-B algorithm during a AnyConnect IKEv2 "IKE_SA_INIT Exchange" with AC Essentials enabled. As per the following documents, http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/qa_c67-712937.html http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac09localpolicy.html To use Suite-B with AC IKev2 we need to have AC Premium License installed. So if customer is using Suite-B for Initial exchange for his L2L IKEv2 tunnels (configured on the same ASA that terminates AC IKEv2 connections), we always prefer the Suite-B algorithms for AC IKEv2 negotiation hence failing the connection due to AC Essentials license restriction. Also, the order of the IKEv2 policy seems to be ineffective in this case so even if we have a non-suiteB configured at the top of the list, it is not negotiated upon during the AC IKEv2 connection. This is the error message we see on the ASA during the failure: IKEv2-PLAT-1: Failed to create an IKEv2 Proposal because an AnyConnect Premium license is required to support an IKEv2 remote access connection using NSA Suite B algorithms IKEv2-PLAT-1: unable to build ikev2 policy IKEv2-PROTO-1: (7): Failed to locate an item in the database On the AC client, this is the failure message: Could not connect to server. Please verify Internet connectivity and server address. Conditions: #AC w/ IKEv2. #ASA configured w/ Suite-B IKEv2 policies apart from non-SuiteB policies. #AC Essentials enabled on the ASA. Workaround: disable AC essentials license Further Problem Description: Last Modified: 04-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu16907 Title: ASA: Watchdog traceback in DATAPATH Status: * Terminated Severity: 2 Severe Description: Symptom: ASA Watchdog traceback after an upgrade in failover environment. Conditions: ASA in failover pair environment, upgraded to 9.1.(5)21. Workaround: None Further Problem Description: Last Modified: 05-JAN-2016 Known Affected Releases: 9.1(5.21) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv58559 Title: Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: DATAPATH Conditions: 1) While modifying the "set connection" config under MPF. 2) Live traffic is passing through both units matching the MPF connection policy. Workaround: Do not modify the connection MPF policy while live traffic is inspected through it. Further Problem Description: Sample config : policy-map global_policy class conn-test set connection conn-max 4000 embryonic-conn-max 2500 Last Modified: 06-JAN-2016 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCum70178 Title: Datapath:Observing Deadlock in different DATAPATH threads Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco ASA working as a Failover Standby Unit, periodically reloads in thread name datapath. Crash message could be like the following : Deadlock in thread DATAPATH-9-2588, from: Traceback from thread DATAPATH-9-2588: Test scenario was Multiple ftp Clients from Outside to single FTP Server on Inside, with 1K conn/sec rate Conditions: Cisco ASA 8.4 when configured as standby in a failover pair. Reason problem is more evident on Standby could be that, as there isn't much work to do, it is possible that multiple Cores to work on flow-time-out at the same time As part of detaching a flow from host->h_tcp_eflow emb-flow-count is being decremeted But this is being done for a paired_flow->host, while holding the flow->host lock This can lead to dead-locck, in the following senario : Core-1 : Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters. Core-2 : Forward_flow->host_A host-lock was acquired snp_host_detach_flow and invoke snp_flow_dec_host_tcp_eflow_counters Reverse_flow->host_B host-lock is attempt to acquire at snp_flow_dec_host_tcp_eflow_counters. Workaround: None Further Problem Description: Last Modified: 06-JAN-2016 Known Affected Releases: 100.8(38.102), 8.4(7.9), 9.1, 9.1(4.5), 9.1(5) Known Fixed Releases: 100.10(9.6), 100.7(6.131), 100.8(38.126), 100.8(40.68), 100.8(56.32), 100.8(63.2), 100.8(64.6), 100.8(65.4), 100.8(66.7), 8.2(5.50) Alert Type: New Bug Id: CSCux74071 Title: ERROR: Internal error configuring service on TCP port 80 in ASA9.6.0.50 Status: Open Severity: 2 Severe Description: Symptom: AAA authentication redirect commands does not get accepted when we apply first time Conditions: AAA authentication redirect commands does not get accepted when we apply first time Workaround: Reconfigure the AAA redirect command it will make it work. Issue will not be seen till we give clear config all Further Problem Description: Last Modified: 06-JAN-2016 Known Affected Releases: 9.6(0.50) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw17930 Title: Improper S2S IPSec Datapath Selection for Remote Overlapping Networks Status: Fixed Severity: 2 Severe Description: Symptom: Traffic may be sent to a wrong tunnel when overlapping Conditions: - S2S IPSec VPN - Remote network which partially overlaps Workaround: Removing and re-applying crypto map to the interface when issue is happening or deny statement on the crypto map for part of the network which overlaps Further Problem Description: Last Modified: 08-JAN-2016 Known Affected Releases: 9.0(4), 9.1(5.21), 9.1(6.8) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.41), 100.15(17.15), 100.15(3.64), 100.15(8.16), 100.16(0.2), 100.16(1.4) Alert Type: Updated * Bug Id: CSCun66161 Title: 5585-20 8.4.7.11 traceback in Thread Name Datapath w/ DCERPC inspection Status: Fixed Severity: 2 Severe Description: Symptom: When configuring dcerpc inspection the device may crash in Datapath. Conditions: ASA5585-20 on ASA 8.4.7.11 dcerpc inspection configured Workaround: Disable dcerpc inspection Further Problem Description: Last Modified: 12-JAN-2016 Known Affected Releases: 8.4(7.11) Known Fixed Releases: * 100.10(9.7), 100.11(0.3), 100.7(6.130), 100.8(40.66), 100.8(56.39), 100.8(65.6), 100.8(66.12), 8.4(7.16), 9.0(4.8), 9.1(5.1) Alert Type: Updated * Bug Id: CSCuw22130 Title: ASA traceback when removing dynamic PAT statement from cluster Status: Fixed Severity: 2 Severe Description: Symptom: Master ASA in clustering running code 9.3.3.2 presented a DATAPATH-1-1958 resulted by Address not mapped fault. Statement removed was: no nat (visitors,outside) source dynamic Guest_network PAT-Guest-Pool Conditions: > ASA running code 9.3.3.2 > Individual (L3) mode > Removing Dynamic PAT rule Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.15(8.33), 100.16(0.10), 100.16(1.50), 100.16(15.7) Alert Type: Updated * Bug Id: CSCur54965 Title: cURL and libcurl Certificate Validation Remote SSL Server Spoofing Vul Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4545 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-4545 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 8.7(1), 9.2(1), 9.3(2), 9.3(2.200), 9.4(1), 9.5(2), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur68856 Title: Linux Kernel IPv6 Router Advertisement Packet Processing Denial of Ser Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-2309 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-2309 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur54856 Title: XMLSoft libxml2 Entity Expansion Handling Denial of Service Vulnerabil Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0191 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0191 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv05386 Title: Clientless webvpn on ASA does not display asmx files Status: Fixed Severity: 2 Severe Description: Symptom: Clientless user selects bookmark from webportal. The page does not display correctly, there is a portion of the page that is garbled or is missing text Conditions: -Clientless user authenticates to the webportal, then selects bookmark that points to internal HTTP site. -The user see's garbled or incomplete text returned from the ASA. Workaround: Smart Tunnel resolves the issue. Using the stand alone AC client resolves the issue. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.68), 100.14(16.8), 100.14(5.32), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4) Alert Type: Updated * Bug Id: CSCur68877 Title: Linux Kernel ext4/file.c Local Denial of Service Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-8086 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:UC The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-8086 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut29842 Title: Linux Kernel Memory Fault Privilege Escalation Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-9322 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-9322 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv92371 Title: ASA traceback: SSH Thread: many users logged in and dACLs being modified Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may reload when multiple users are logged into the ASA running show commands and the ACLs are being added/deleted Conditions: This was observed under the following condition 1) there were multiple users logged into the ASA 2) One user was trying to run show running-config or show access-list 3) downloadable ACLs were being added and removed based on user logins in auth proxy Workaround: If show access-list issued on one session don't issue "clear config access-list " from another session, let the "sh access-list" display all elements from that session Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(2), 9.1(6), 9.3(2) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.111), 100.14(0.78), 100.15(0.50), 100.15(17.21), 100.15(3.72), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCuw41548 Title: DNS Traceback in channel_put() Status: Fixed Severity: 2 Severe Description: Symptom: ASA reloads and generates a corefile Conditions: Multiple simultaneous DNS queries with retries Workaround: disable DNS Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.109), 100.14(0.77), 100.15(0.43), 100.15(17.18), 100.15(3.66), 100.15(8.16), 100.16(0.2), 100.16(1.5) Alert Type: Updated * Bug Id: CSCuu75901 Title: ASA failover due to issue show local-host command make CPU-hog Status: Fixed Severity: 2 Severe Description: Symptom: In an ASA active-standby failover setup having a huge number of connections, running 'show local-host connections' command results in ASA switching to failover Conditions: 1. Configure active-standby failover on ASA5585-SSP60/40 running software version 9.2.3. This issue may be observed on other ASA platforms and versions as well 2. Have low ASA unit hello interval configured for failover: failover polltime unit msec 200 holdtime msec 800 3. Send large number of connections (~ 1 million) through the ASA 4. Run 'show local-host connections embryonic' command Workaround: Increase the failover unit hold time Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1, 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.91), 100.14(0.68), 100.14(16.8), 100.14(5.32), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4) Alert Type: Updated * Bug Id: CSCur68861 Title: Linux Kernel raw_cmd_copyin() Privilege Escalation Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-1737 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-1737 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv66333 Title: ASA picks incorrect trustpoint to verify OCSP Response Status: Fixed Severity: 2 Severe Description: Symptom: ASA may fail to verify a valid OCSP response during OCSP revocation check for VPN clients. Conditions: Revocation check is enabled under the trustpoint using OCSP and an override using cert-map is not configured Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.48), 100.15(17.20), 100.15(3.71), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCuu45813 Title: ASA Name Constraints dirName improperly verified Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu66218 Title: ASA is not correctly handling errors on AES-GCM ICV Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the AES-GCM code of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted IPSec or IKEv2 packet, and for those modifications not to be detected. The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the ICV is not checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA and then forwarded to their destination, without the modification being detected. Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the security association. This vulnerability does NOT impact SSL/TLS traffic originated or destined to the ASA. Conditions: An IKEv2 or an IPSec policy using any of the following algorithms for data encryption: aes-gcm, aes-gcm-192, aes-gcm-256. This vulnerability only applies to the following ASA models: ASA5506-X (all hardware models), ASA5508-X, and ASA5516-X. Workaround: There is no workaround for customers whose security policy requires the use of AES-GCM. For customers that can use an alternative encryption algorith, IKE or IPSec policies using AES-GCM could be changed to use instead AES. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3), 9.4(1.1) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 9.3(3.2), 9.4(1.2) Alert Type: Updated * Bug Id: CSCut46019 Title: MARCH 2015 OpenSSL Vulnerabilities Status: Fixed Severity: 2 Severe Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2015-0286, CVE-2015-0292, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. First Fixed Information: 8.2.5.58 (April 2015) 8.3.2.45 (April 2015) 8.4.7.29 (April 2015) 8.5.1.25 (April 2015) 8.6.1.18 (April 2015) 8.7.1.17 (April 2015) 9.0.4.34 (April 2015) 9.1.6.2 (24-Apr-2015) 9.2.3.5 (April 2015) 9.3.3.1 (8-May-2015) 9.4.1.1 (8-May-2015) Published advisory is at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl Workaround: Not available. More Info: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 7.1/6.9 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 8.2(5), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.73), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28) Alert Type: Updated * Bug Id: CSCut49111 Title: ASA traceback because of TD tcp-intercept feature Status: Fixed Severity: 2 Severe Description: Symptom: Multiple crash has been observed on ASA with threat-detection statistics tcp-intercept enabled Conditions: When threat-detection statistics tcp-intercept is enabled Workaround: Disabling TD for tcp intercept statistics stops crash. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.17), 100.14(5.15), 100.14(6.27), 100.14(7.26) Alert Type: Updated * Bug Id: CSCuv31964 Title: Update Windriver OS to RCPL 21 Status: Fixed Severity: 2 Severe Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software includes a version of Windriver OS that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-3331,CVE-2015-1819 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 9.3/7.7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-3331,CVE-2015-1819 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 99.1 Known Fixed Releases: 100.15(1.45), 100.15(10.3), 100.15(15.6), 100.15(16.1), 100.15(2.77), 100.15(3.26), 100.15(8.10), 9.5(1) Alert Type: Updated * Bug Id: CSCur68843 Title: GnuTLS Regression Error Denial of Service Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-2116 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-2116 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut45114 Title: 2048-byte block leak if DNS server replies with "No such name" Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may become responsive due to excessive loss of 2048-byte memory blocks. Conditions: Many DNS lookups for bad hostnames are done from the ASA, so that the DNS server replies "no such name". Workaround: A reboot is required to recover the lost memory blocks. Further Problem Description: To monitor block utilization, use the CLI command "show blocks". Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2.101) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Alert Type: Updated * Bug Id: CSCuu53928 Title: ASA does not set forward address or p-bit in OSPF redistrubution in NSSA Status: Fixed Severity: 2 Severe Description: Symptom: ASA can advertise OSPF routes to a peer with the p-bit disabled, and with a null forward address when in a Not so Stubby Area. This can cause the peer device to be unable to translate this LSA and forward it on to the rest of the topology. OSPF Router with ID (10.0.0.50) (Process ID 1) Type-7 AS External Link States (Area 100) LS age: 23 Options: (No TOS-capability, No Type 7/5 translation, DC) <--- LS Type: AS External Link Link State ID: 192.168.0.0 (External Network Number ) Advertising Router: 10.0.0.50 LS Seq Number: 80000001 Checksum: 0x791e Length: 36 Network Mask:255.255.0.0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 <--- External Route Tag: This condition occurs if the route that is advertised is directly connected, and that link comes up before the link that contains the OSPF neighborship. Conditions: - ASA in an OSPF Not So Stubby Area - Redistributing Connected Routes - Observed in single and multiple context - Observed in failover mode or standalone mode Workaround: - Clear OSPF Process on ASA with command "clear ospf process" - Bounce link of connected route that is being advertised incorrectly Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuv05916 Title: Need to prevent traceback in js_parser_print_rest Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in Unicorn Proxy Thread Conditions: Workaround: none identified Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2), 9.3(3) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37) Alert Type: Updated * Bug Id: CSCuu67411 Title: Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg Status: Fixed Severity: 2 Severe Description: Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg Symptom: Configure "timeout floating-conn 0:01:00"(any valid range 0:0:30-1193:0:0),it is configured in ASA and checking TELNET to ASA and HTTP connection of ASA is lost. Conditions: Issue on : 1.Saleen -5512,5525 2.Kenton--5506 3.vASA Workaround: Set the "timeout floating-conn 0:00:00" Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(0.27), 100.14(0.30), 100.14(6.38) Known Fixed Releases: * 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12), 100.15(5.15) Alert Type: Updated * Bug Id: CSCuv32615 Title: ASA: LDAP over SSL Authentication failure Status: Fixed Severity: 2 Severe Description: Symptom: LDAP over SSL authentication fails with the below LDAP debugs. Session Start New request Session, context 0x00007fffddc694c0, reqType = Authentication Fiber started Creating LDAP context with uri=ldaps://10.1.1.219:636 Connect to LDAP server: ldaps://10.1.1.219:636, status = Failed Unable to read rootDSE. Can't contact LDAP server. Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 Session End Can see the below errors increasing under "show asp drop" ssl-record-decrypt-error np-socket-close The "show count" output will show an increase in count SSL error. ASA5500-21# sho count | in SSL SSLERR DECRYPT_FAIL_OR_BAD_RECORD_MAC 1 Summary Conditions: LDAP over SSL used for client authentication on ASA running version 9.3(2)1 and above and TLSv1.2 is used. Workaround: Downgrade to 9.3(2) Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2.1), 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.146), 100.13(0.102), 100.14(0.75), 100.14(16.8), 100.14(5.32), 100.15(0.28), 100.15(1.92), 100.15(16.5), 100.15(17.7) Alert Type: Updated * Bug Id: CSCze96017 Title: Active ftp-data is blocked by Firepower on Chivas Beta on 5512 Status: Fixed Severity: 2 Severe Description: Symptom: The system incorrectly processes data channels matching applied access control, intrusion, and network discovery policies. Conditions: Configure an ASA FirePOWER module running Version 5.0 or later with network address translation (NAT). Workaround: 1. Create a policy to allow ftp-data traffic from Server to Client or 2. Use passive FTP Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12), 100.15(5.20) Alert Type: Updated * Bug Id: CSCuv86500 Title: Webvpn: JS parser may crash if the underlying connection is closed Status: Fixed Severity: 2 Severe Description: Symptom: Traceback when WebVPN client connected and ASA is processing JavaScript. Conditions: ASA running release 9.3.3.221. Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.221) Known Fixed Releases: * 100.12(0.145), 100.13(0.98), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.91), 100.15(16.5), 100.15(17.6), 100.15(3.51) Alert Type: Updated * Bug Id: CSCuv96011 Title: OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards Status: Fixed Severity: 2 Severe Description: Symptom: OSPF over IKEv2 L2L tunnel is broken on ASA in 9.2(1) onwards. Routes are installed into OSPF database successfully, but they are absent in the main routing table. Conditions: -IKEv2 L2L configured to propagate routes over OSPF on ASA running 9.2.1 or above. Workaround: -Downgrade the ASA to 9.1(5), if an option. -Use IKEv1 tunnel Further Problem Description: None Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(1), 9.3(3), 9.4(1), 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.104), 100.14(0.76), 100.15(0.29), 100.15(1.95), 100.15(16.7), 100.15(17.10), 100.15(3.55), 100.15(8.15) Alert Type: Updated * Bug Id: CSCti05769 Title: Migration of max_conn/em_limit to MPF is completely wrong in 8.3 Status: Fixed Severity: 2 Severe Description: Symptom: Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside. Conditions: Workaround: Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCur68844 Title: Xen QEMU SCSI REPORT LUNS Memory Corruption Code Execution Vulnerabili Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4344 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-4344 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu31751 Title: ASA OSPF database not reflect changes Status: Fixed Severity: 2 Severe Description: Symptom: shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1 R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3 sh route ospf O 10.20.20.0 255.255.255.0 [110/11] via 192.168.1.97, 00:32:33, backbone ASA# sh ospf database 10.30.30.0 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 R1#sh ip route 10.30.30.0 Routing entry for 10.30.30.0/24 Known via "ospf 10", distance 110, metric 12, type inter area Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago Routing Descriptor Blocks: * 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0 Route metric is 12, traffic share count is 1 Conditions: Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1 Workaround: clear ospf x process Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 108.2(0.7) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCuw22886 Title: Split-tunnel not working for EzVPN client on Kenton device (9.5.1) Status: Fixed Severity: 2 Severe Description: Symptom: Ezvpn client connects however Split tunnel will not be applied. Conditions: Using ASA5506 Kenton with ASA code 9.5.1 Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2), 100.16(1.2), 9.5(1.99), 9.5(2) Alert Type: Updated * Bug Id: CSCur68845 Title: Linux Kernel Networking recvmsg Memory Leak Local Information Disclosu Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-6405 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-6405 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu28909 Title: ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel Status: Fixed Severity: 2 Severe Description: Symptom: In ASA cluster we may see a packet loop on the cluster control link. The loop is formed when we have ICMP error packet that should be going via a site to site VPN tunnel. Such packet may go into a loop and cause elevate CPU utilization on the ASA. Conditions: +ASA cluster +site to site VPN tunnel configured +ICMP error packets destined to the VPN tunnel Workaround: +deny icmp erros using an access-list on the data interfaces Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6.1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCuw15615 Title: Backup unknown with dynamic pat pool Status: Fixed Severity: 2 Severe Description: Symptom: PAT Pool IP's Backup shows up as unknown Conditions: Two node cluster is brought up with dynamic pat pool configs and transactional commit for NAT is enabled Workaround: Disable transactional commit for NAT Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.15(1.86), 9.4(1.100) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.81), 100.15(0.67), 100.15(17.30), 100.15(20.10), 100.15(8.22), 100.16(0.5), 100.16(1.13) Alert Type: Updated * Bug Id: CSCur68875 Title: Linux Kernel Network Packet Processing Null Pointer Dereference Denial Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3535 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3535 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu73395 Title: Auth-prompt configured in one context appears in another context Status: Fixed Severity: 2 Severe Description: Symptom: Auth-prompt configured in one context appears in another context. Conditions: ++ Device in multiple context. ++ More than one context. ++ More than on context with cut through proxy configured. ++ Only one context with custom auth-prompt. Workaround: If auth-prompt is configured in all the contexts then there is no issue seen. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.0(4.24), 9.1(4), 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(1.51), 100.15(15.11) Alert Type: Updated * Bug Id: CSCuu39636 Title: Cert Auth fails with 'max simultaneous-login restriction' error Status: Fixed Severity: 2 Severe Description: Symptom: VPN Clients connections with Certificate Authentication fail with the following error: [IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction. Conditions: VPN Cients with Certificate Authentication ASA running 9.1.6 or later Workaround: Use PSK and X-Auth for authentication Downgrade to a non-affected version Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu63656 Title: ASA not generating PIM register packet for directly connected sources Status: Fixed Severity: 2 Severe Description: Symptom: Topology ------------ Sender ---> ASA(DR) ----> RP -----> Receiver Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR) Sender is behind ASA RP is in front of ASA ASA not sending PIM Register packet to RP Conditions: running 9.2.1 or later Workaround: downgrade to code 9.1.5 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(1), 9.3(2), 9.4 Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.45), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) Alert Type: Updated * Bug Id: CSCuu46569 Title: ASA CA certificate import fails with different types of Name Constraints Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCur68873 Title: Linux Kernel Reliable Datagram Sockets Denial of Service Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-7339 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.7: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-7339 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv92384 Title: ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS Status: Fixed Severity: 2 Severe Description: Symptom: When a connection entry on ASA is in half-open state and an invalid ACK (sequence and acknowledgement numbers out of sequence ) is received for that connection, ASA is dropping the invalid ACK received but it is responding to the TCP peer with a packet containing flags PUSH ACK and with correct sequence and acknowledgement numbers that ASA is expecting from the peer. As per the RFC below, ASA is not supposed to respond with TCP PUSH ACK flags for invalid ACK segments when the connection is half-open state. It should instead respond with a segment containing RESET flag. https://tools.ietf.org/html/rfc793#section-3.5 Information from the RFC link above : 2. If the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), and the incoming segment acknowledges something not yet sent (the segment carries an unacceptable ACK), or if an incoming segment has a security level or compartment which does not exactly match the level and compartment requested for the connection, a reset is sent. Conditions: ASA working as TCP normalizer. Workaround: Configure TCP state bypass. http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCut44075 Title: Traceback in snp_cluster_get_buffer Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in snp_cluster_get_buffer Conditions: Single or two node cluster Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.0, 9.3(2.101), 9.4(0.117) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Alert Type: Updated * Bug Id: CSCur68878 Title: Red Hat qemu-kvm High Resolution Display Memory Leak Information Discl Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3615 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 2.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:H/Au:S/C:P/I:P/A:N/E:U/RL:TF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3615 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu06081 Title: ASAv licesing enforcement should not be CLI parser based Status: Fixed Severity: 2 Severe Description: Symptom: ASAv doesn't accept CLI commands without proper license in place. Conditions: NA Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2), 100.16(1.2), 9.4(1.203), 9.5(1.201), 9.5(1.99) Alert Type: Updated * Bug Id: CSCur68851 Title: Linux Kernel CIFS Pointer Handling Local Denial of Service Vulnerabili Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0069 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.2: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0069 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv12884 Title: Unable to authenticate with remove aaa-server from different context Status: Fixed Severity: 2 Severe Description: Symptom: Authentication error on a context when he removed aaa-server config from different context. Conditions: -Some contexts is using same LDAP server. Workaround: ASA reload Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.6(1), 9.1(5), 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.89), 100.14(0.67), 100.14(16.8), 100.14(5.32), 100.15(0.21), 100.15(1.38), 100.15(10.4), 100.15(15.2) Alert Type: Updated * Bug Id: CSCuv45756 Title: ASA may tracebeck when displaying packet capture with trace option Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback. Conditions: ASA running 9.4(1) displaying captures with trace detail option. Workaround: Avoid using trace detail option in captures. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.140), 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86) Alert Type: Updated * Bug Id: CSCur68866 Title: QEMU virtqueue_map_sg() Function Input Validation Buffer Overflow Vuln Status: Fixed Severity: 2 Severe Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-4535 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-4535 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: * 100.12(0.136), 100.13(0.90), 100.14(0.68), 100.15(0.21), 100.15(1.43), 100.15(15.4), 100.15(2.75), 100.15(3.26), 100.15(4.25), 100.15(8.9) Alert Type: Updated * Bug Id: CSCuu82229 Title: ikev2 with DH 19 and above fails to pass traffic after phase2 rekey Status: Fixed Severity: 2 Severe Description: Symptom: after rekey fails to pass traffic Conditions: after rekey using DH 19 or above Workaround: use lower DH (1,2,5,14) Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4, 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.113), 100.14(0.79), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.1), 9.5(1.99) Alert Type: Updated * Bug Id: CSCur07061 Title: Traceback on standby ASA during hitless upgrade Status: Fixed Severity: 2 Severe Description: Regression caused by a fix in CSCuq37448 Symptom:ASA system traceback was observed in data path. Conditions:Cisco ASA running release 9.1.5.16. Workaround:NA More Info:This issue was seen in one case when doing system test with ASAv during hitless upgrade. In another the trace indicated it might be related to using the capture feature on an ASA-SM. However, the issue is not related to failover or packet capture. In the bug fix of CSCuq37448, we added code for detecting and handling IPSec HA packets. That fix failed to handle certain corner cases and could subsequently cause a traceback. The fix removes the special handling. Last Modified: 14-JAN-2016 Known Affected Releases: 100.12(0.56), 100.13(11.7) Known Fixed Releases: * 100.11(0.50), 100.11(0.57), 100.12(0.118), 100.12(0.70), 100.12(6.20), 100.13(0.58), 100.13(0.6), 100.13(11.10), 100.13(12.16), 100.13(15.7) Alert Type: Updated * Bug Id: CSCuq99821 Title: ASA/ASASM drops SIP invite packets with From field containing "" and \ Status: Fixed Severity: 2 Severe Description: Symptom: ASASM running version 9.1.4.6 with SIP inspection turned on, silently drops SIP INVITES that has the similar value in the from field: "\"210*******\"" ;tag=SD7osu201-gK0d0f565b Conditions: ASA/ASASM running 9.1.4.6 with SIP inspection turned on. Workaround: disable SIP inspection. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(4.6) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41) Alert Type: Updated * Bug Id: CSCuw06294 Title: ASA: Traceback in Thread Name Checkheaps due to webvpn Status: Fixed Severity: 2 Severe Description: Symptom: ASA device traceback in Thread Name Checkheaps Conditions: ASA configured with webvpn configuration. Workaround: None at this time Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.224) Known Fixed Releases: * 100.12(0.146), 100.13(0.99), 100.14(0.74), 100.15(0.28), 100.15(1.93), 100.15(16.7), 100.15(17.9), 100.15(3.54), 100.15(8.14), 9.3(3.225) Alert Type: Updated * Bug Id: CSCur68859 Title: Linux Kernel n_tty_write Function Buffer Overflow Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-0196 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-0196 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur68865 Title: Linux Kernel Futex Local Privilege Escalation Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3153 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3153 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu10284 Title: ASA Dataplane captures dont capture packets when using match/access-list Status: Fixed Severity: 2 Severe Description: Symptom: ASA Dataplane captures dont show any packet captured even though the condition matches the flow Conditions: ASA dataplane captures applied with a match or access-list command Workaround: use the dataplane captures without the match/access-list command Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.20), 100.14(10.23), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.10) Alert Type: Updated * Bug Id: CSCur54979 Title: Linux Kernel KVM Subsystem Programmable Interval Timer Emulation Denia Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3611 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3611 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu94945 Title: ASA: Traceback while copying file using SCP on ASA Status: Fixed Severity: 2 Severe Description: Symptom: ASA device trace back while copying files using SCP Conditions: Copying files on the ASA device using SCP Workaround: Don't use SCP to transfer files on ASA Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(0.43) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.46), 100.14(16.1), 100.14(5.23), 100.14(7.41), 100.15(0.17), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCur68869 Title: Linux Kernel PPP L2TP Sockets Local Elevated Privileges Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-4943 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-4943 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.5(2.200), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux58151 Title: BGP Socket Closes and Does Not Reopen Status: Terminated Severity: 3 Moderate Description: * Symptom: The ASA will be unable to create a neighborship with a BGP peer. You may see the following Syslog at Debug level: %ASA-7-710005: TCP request discarded from source_address/source_port to interface_name:dest_address/179 Diagnostics: show asp table socket - If you're being affected by this bug, then you will NOT see an entry on this table showing the Local Address (i.e., your ASA IP address) in a LISTENING state for TCP 179. Conditions: -You have BGP and an IPv4 address-family configured on your ASA -You have configured and activated a BGP neighbor in that IPv4 address-family -The configured BGP neighbor is unable to establish a neighborship with the ASA. Workaround: In the relevant IPv4 Address-Family configuration, deactivate the neighborship between the ASA and the peer that is unable to connect, and then reactivate it. no neighbor [IP Address] activate neighbor [IP Address] activate Note: This issue has been observed to affect only a single BGP neighborship on an ASA where multiple neighbors are configured. Technically, adding and removing any neighbor in the IPv4 address family should cause the ASA to open all sockets that have been closed by this defect. So it should be possible to run this command for any neighbor in the relevant IPv4 address family. If, however, your 'backup' BGP neighborship is down and you are unable to restore it by removing and re-adding its neighbor activate statement, it may be necessary to remove and re-add the active link. Further Problem Description: Last Modified: 04-JAN-2016 Known Affected Releases: 9.3(3) Known Fixed Releases: Alert Type: New Bug Id: CSCuw56882 Title: Interface is Up on the ASA but fault is note cleared on APIC Status: Fixed Severity: 3 Moderate Description: Symptom: You are seeing the following fault after adding an ASA device into the APIC: "Script Warning: Either the cable is incorrect or not plugged in" Conditions: an ASA was added to the ACI fabric via the APIC. Workaround: n/a The fault can be ignored. Further Problem Description: Last Modified: 04-JAN-2016 Known Affected Releases: 1.2(3.5), 1.2(3.7) Known Fixed Releases: 1.2(3.9), 1.2(5.0) Alert Type: Updated * Bug Id: CSCux51056 Title: vpn-sessiondb doesn't show DHE prefix in Encryption field Status: Fixed Severity: 3 Moderate Description: Symptom: vpn-sessiondb doesn't show DHE prefix in Encryption field when DHE-AES ciphers are used for Clientless SSL VPN. Conditions: DHE-AES ciphers used for Clientless SSL VPN. Workaround: Verify via "logging class ssl Further Problem Description: Last Modified: 04-JAN-2016 Known Affected Releases: 9.1(6.111) Known Fixed Releases: * 100.11(0.66), 100.8(40.112) Alert Type: Updated * Bug Id: CSCux69809 Title: 'write net' on the interface with managment-only keyword does not work. Status: Other Severity: 3 Moderate Description: * Symptom: When the command 'write net' is used to save the running configuration to TFTP server, and the TFTP server is located on an interface with management-only keyword, we see two issues: Case 1 If there is only one interface configured, saving configuration fails with an error "(No such device)". Case 2 If there are more then one interfaces configured, the global routing table is used, instead of the routing table of the interface facing the TFTP server and the saving configuration fails with an error "(Timed out attempting to connect)". The issue is related to feature introduced in 9.5.1 code 'Separate routing table for management-only interfaces'. Conditions: - Version 9.5(1) - management-only is configured under the interface facing the TFTP server Workaround: Use command 'copy running-config tftp:' Further Problem Description: Last Modified: 05-JAN-2016 Known Affected Releases: 9.5(1), 9.5(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuo85585 Title: ARP debug messages are printing without new line on standby unit Status: Fixed Severity: 3 Moderate Description: Symptom: ARP debug messages are printing without new line on failover standby unit Conditions: ARP debug messages prints on console without new line between each other. Workaround: None Further Problem Description: Last Modified: 05-JAN-2016 Known Affected Releases: 9.1(5.1) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.8(40.106) Alert Type: New Bug Id: CSCux64137 Title: ASA NTP Documentation Clarification Status: Open Severity: 3 Moderate Description: Symptoms: This is a documentation issue for the Cisco Adaptive Security Appliance (ASA). ntp authenticate does not enforce authentication, it enables it. There are interdependent commands which must also be enable to create authenticated NTP sessions. The Usage Guidelines are unclear on this point. To ensure an authenticated ntp session, one must 1) enable authentication: ntp authenticate 2) create an ntp key ntp authentication-key key_id md5 key 3) The key must be associated with the ntp server command ntp server ip-address key key-id Conditions: Documentation bug Workaround: Not applicable or available. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-JAN-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: Alert Type: New Bug Id: CSCux76949 Title: Doc: New IPAA syslogs 737034-737036 Status: Open Severity: 3 Moderate Description: Symptom: Update Syslog doc with 3 new syslogs: %ASA-5-737034: IPAA: Session=, {IPv4 | IPv6} address: %ASA-7-737035: IPAA: Session=, '' message queued %ASA-6-737036: IPAA: Session=, Client assigned from DHCP Conditions: Syslogs Workaround: Further Problem Description: Last Modified: 08-JAN-2016 Known Affected Releases: 9.1(6.116) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus79187 Title: ASDM may stall @ 72% refreshing large number of VPN Sessions Status: Terminated Severity: 3 Moderate Description: * Symptom: Affected components: All ASA releases , ASDM 7.3.2 and 7.3.3 ASDM client host is Windows7 machine, Using JRE version 1.7.0_67 ASA 5585-20 with thousands of AnyConnect VPN (or other type) tunnels established . To reproduce: 1)Navigate to ASDM Monitoring-VPN-VPN Statistics-Sessions 2)Select Filter BY:AnyConnect Client, "All Sessions" 3)Press the Refresh button on bottom of panel 4) ASDM may get stuck at 72% loading and never completes refreshing screen. 5) Clearing ASDM cache, Exiting and re-loging in doesn't refresh . Conditions: ASDM Monitoring-VPN Sessions Workaround: Easy workaround. Just need to change the ASDM timeout. Further Problem Description: Last Modified: 12-JAN-2016 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: Alert Type: New Bug Id: CSCux83951 Title: Doc bug as ASAv does not support VMXNET3 interface Status: Open Severity: 3 Moderate Description: Symptom: This is a DOCUMENTATION bug only. As per the CCO document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/interface-basic-asav.pdf ASAv supports VMXNET3 interface but it does not. Document needs to be rectified for this. Conditions: Workaround: Further Problem Description: Last Modified: 13-JAN-2016 Known Affected Releases: 9.4 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv11963 Title: TP Auth fails when sub CA using RSA keys is signed by root using ECDSA Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA fails to validate the Anyconnect client certificate issued by the intermediate CA under below conditions. Conditions: 1. ASA running 9.3.3.1, should be configured for certificate authentication. 2. Root CA cert must have ECDSA Signature algorithm and ECDSA public key 3.Intermediate CA cert must have ECDSA signature algorithm with RSA public key. 4.ASA ID cert must have RSA signature algorithm with RSA public key. 5.Client cert must have RSA signature algorithm with RSA public key. Workaround: NONE Further Problem Description: When we connect to ASA from Anyconnect client machine, we see the client is sending its ID cert and ASA fails to verify the cert chain with below debug. CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert. CRYPTO_PKI:Failed to set key info for get public key obj, status: 542, keylen: 294 CRYPTO_PKI: Verify chain of certs failed to get pubkey from signer. Root, intermediate and ID certs are installed in separate Trustpoints in ASA. We have also tried installing intermediate and ID cert in single Trustpoint which results in same failure. Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.1), 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.2), 100.15(3.50), 100.15(6.33), 100.15(8.13), 9.4(1.112) Alert Type: Updated * Bug Id: CSCuu07462 Title: Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno) Status: Fixed Severity: 3 Moderate Description: Symptom: The ASAv attempts to verify its image during bring up, but ends up failing with a console message of... The digital signature of the booted image file did not verify successfully. 57 (Unable to get the platform key storage size or key is corrupted) Rebooting now... Conditions: Failure occurs when deploying the ASAv on a KVM hypervisor with a host that is running with a RHEL OS distribution. The problem was noticed on RHEL version 7.1 and OpenStack (Juno). Workaround: A workaround to reach the ASAv CLI prompt is to remove the virt-install variable setting --cpu host. You can also set the variable to --cpu none. However, setting --cpu to 'none' may have an impact on the performance characteristics of the ASAv. Further Problem Description: A case has been opened with Red Hat (https://access.redhat.com/support/cases/#/case/01431506). As a workaround you can update /etc/nova/release file from the compute node and restart openstack-nova-compute service: [root@compute]# cat /etc/nova/release [Nova] vendor = Red Hat <=== product = OpenStack package = 19.el7ost Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.200) Known Fixed Releases: * 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCut96928 Title: ASA : Password creation date is decrementing by one with every reboot Status: Fixed Severity: 3 Moderate Description: Symptom: ASA " Local User" password creation date is decrementing by one day with every reboot Conditions: ASA configured with Command : password-policy lifetime Workaround: No workaround Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.23), 100.14(7.22), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuv07126 Title: ikev2 enable added to config when zones are used despite ERROR msg Status: Fixed Severity: 3 Moderate Description: Symptom: If an interface is added to a zone, it is not possible to enable both webvpn and IKEv1, however it is not the case for ikev2 despite an ERROR message. Conditions: -- Traffic Zones used. -- Attempt to enable ikev2 Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.82), 100.14(0.56), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12), 100.15(4.15) Alert Type: Updated * Bug Id: CSCuu19489 Title: ASA inspection-MPF ACL changes not inserted into ASP table properly Status: Fixed Severity: 3 Moderate Description: Symptom: New ACL changes not taking effect for inspection policies. When adding new rules to the top of an existing ACL which is mapped to an inspection policy, the ASA installs this rule incorrectly at the bottom of its ASP table. This is applicable for any inspection policy that has an ACL bound to it. Conditions: There should be an ACL bound to an inspection policy. Workaround: Remove and re-apply the service-policy or remove and re-apply the effected class-map in the policy-map. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu16983 Title: ASA: failover logging messages appear in user context Status: Fixed Severity: 3 Moderate Description: Symptom: Failover syslog messages should appear in the admin context, but they appear in user context. Conditions: ASA in multi-context mode. Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5.19), 9.2(2.8) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuw33713 Title: IKEv2: crypto iskamp identity auto doesn't work - DN not IKE ID but IP. Status: Fixed Severity: 3 Moderate Description: Symptom: Despite the "crypto isakmp identity auto" the ASA does not send DN as IKE ID. It consistently sends IPv4 address. As a result the peer identity verification fails. Conditions: 1. IKEv2 L2L VPN 2. Certificate hierarchy: ECDSA key root ECDSA key sub ECDSA key identity OR RSA key root ECDSA key sub ECDSA key identity 3. "crypto isakmp identity auto" enabled Workaround: Disable peer id validation under the tunnel group: tunnel-group x.x.x.x ipsec-attributes peer-id-validate nocheck Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1), 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3), 100.16(1.6) Alert Type: Updated * Bug Id: CSCuu76651 Title: Traps are not sent after hyperlite bootsup with all data interfaces shut Status: Fixed Severity: 3 Moderate Description: Symptom: SNMP traps are not transmitted from the ASA Conditions: Saleen and Kenton platforms. The ASA boots with all of its data interfaces administratively shutdown. Workaround: admin-up a data interface. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(29.11) Known Fixed Releases: * 100.12(0.132), 100.13(0.84), 100.13(29.101), 100.13(29.34), 100.14(0.63), 100.14(16.2), 100.14(5.24), 100.14(7.46), 100.15(1.29), 100.15(10.3) Alert Type: Updated * Bug Id: CSCut64846 Title: To-the-box UDP traffic not getting inspected and getting dropped on ASA Status: Fixed Severity: 3 Moderate Description: Symptom: To-the-box UDP traffic not getting inspected and getting dropped on ASA even when the default floating route exists. Conditions: +There should be 2 default routes with different metrics. +UDP polling only works on the interface which has better metric and fails on other interface. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(7.23), 9.1(6), 9.2(3), 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuv02619 Title: Standby ipv6 address setting is not replicated to standby Status: Fixed Severity: 3 Moderate Description: Symptom: Replicating of standby ipv6 settings is not replicated correctly. Conditions: In L2 firewall mode and multiple context mode. Workaround: 'write standby' twice on the active unit. Further Problem Description: none Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6.6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.67), 100.15(0.21), 100.15(1.40), 100.15(10.4), 100.15(15.4), 100.15(4.24), 100.15(8.9) Alert Type: Updated * Bug Id: CSCuu09302 Title: ASAv: RSA key pair needs to be automatically generated with 2048 bits Status: Fixed Severity: 3 Moderate Description: Symptom: RSA keys generated automatically on ASAv use 1024-bit length. Conditions: Workaround: crypto key generate rsa general-keys modulus 2048 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(21.11), 100.14(5.10), 9.4(1) Known Fixed Releases: * 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCua32176 Title: IPv6 Complete Packet Fragment Reassembly Check Bypass Status: Fixed Severity: 3 Moderate Description: Symptom: It is possible for a crafted IPv6 packet to bypass the fragment reassembly check of the Cisco Adaptive Security Appliance (ASA). Conditions: Cisco ASA configured for IPv6. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C&version=2.0 CVE ID CVE-2012-5736 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.11(0.63), 100.12(0.143), 100.12(0.146), 100.13(0.100), 100.13(0.95), 100.14(0.71), 100.14(0.73), 100.15(0.24), 100.15(0.26) Alert Type: Updated * Bug Id: CSCuu96492 Title: 'terminal pager' does not clear when authorization auto-enable is used Status: Fixed Severity: 3 Moderate Description: Symptom: Terminal pager lines will not re-initiates the pager value from the running config even after the sessions terminates, unless we use a login or enable in the EXEC mode. But when this is used along with aaa authorization, the user will not be prompted for the password when entering privileged EXEC mode. aaa authorization exec authentication-server auto-enable So, if any of the user enters the terminal pager command, it is affecting other user sessions when logged in using aaa with privilege credentials. Conditions: terminal pager is used and the following command is enabled. aaa authorization exec authentication-server auto-enable Workaround: We can clear the terminal pager instead of logging in with enable or login command. clear terminal pager Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5.240) Known Fixed Releases: * 100.13(0.85), 100.14(0.66), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.63), 100.15(3.16), 100.15(4.20), 100.15(5.23), 9.4(1.99) Alert Type: Updated * Bug Id: CSCut67315 Title: ASA :Top 10 Users status is not getting enabled from ASDM. Status: Fixed Severity: 3 Moderate Description: Symptom: Top 10 Users status is not getting enabled from ASDM. Conditions: ASA running code 9.3.2 Workaround: Downgrade ASA to 9.1.5 to get this feature working. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCut71347 Title: PBA: Generate syslogs for port block allocation related failures Status: Fixed Severity: 3 Moderate Description: Symptom: No syslogs generated when no more blocks can be allocated from the pool or when a user has already reached the configured maximum-per-host limit. Conditions: Either no more blocks can be allocated from the pool or when a user has already reached the configured maximum-per-host limit. Workaround: Currently we do generate debug messages which can be enabled as "debug nat 255" Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(4.31), 100.14(6.20) Known Fixed Releases: * 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15), 100.15(2.47), 100.15(3.6), 100.15(4.10), 100.15(5.12) Alert Type: Updated * Bug Id: CSCut39169 Title: WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app Status: Fixed Severity: 3 Moderate Description: Symptom: Some content on a Peoplesoft based application may fail to be displayed or accessible through clientless webvpn Conditions: The application is processed by the webvpn rewriter Workaround: Use Smart-tunnel Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.7) Alert Type: Updated * Bug Id: CSCut85049 Title: Issue with downloading images from Sharepoint Status: Fixed Severity: 3 Moderate Description: Symptom: Image cannot be downloaded from Sharepoint Conditions: After cookies and cache are cleared from browser Workaround: Right click on the image and do a 'Save As' and select local disk Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(3.8), 9.4(1.112) Known Fixed Releases: * 100.12(0.137), 100.13(0.93), 100.14(0.13), 100.14(10.23), 100.14(5.15), 100.14(6.7), 100.14(7.6), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCuv32789 Title: ASA using IKEv2 rejects more than 10 NAT_DETECTION_SOURCE_IP payloads Status: Fixed Severity: 3 Moderate Description: Symptom: Acting as the IKEv2 responder, ASA receives initial IKEv2 packet that contains more than 10 payloads for NAT_DETECTION_SOURCE_IP from initiator. ASA rejects the connection, enumarates 10 payloads and prints "INVALID_SYNTAX" afterwards. Conditions: -ASA acts as IKEv2 responder. -ASA receives more than 10 payloads for "NAT_DETECTION_SOURCE_IP" from the initator. Workaround: Use IKEv1 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(2.8) Known Fixed Releases: * 100.11(0.62), 100.12(0.141), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.62), 100.15(16.1), 100.15(17.1), 100.15(3.36), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuv60724 Title: Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability Status: Fixed Severity: 3 Moderate Description: Symptom: A vulnerability in the Unicast Reverse Path Forwarding (uRPF) feature in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to bypass the uRPF validation checks. The vulnerability is due to incorrect uRPF validation where IP packets from an outside interface whose IP address is both in the ASA routing table and associated with an internal interface are not dropped. An attacker could exploit this vulnerability by sending spoofed IP packets to the ASA in a subnet range which should be dropped. An exploit could allow the attacker to bypass uRPF validation on the ASA and the packet will be incorrectly forwarded on the internal network. Conditions: The ASA has the command ''ip verify reverse-path interface '' configured on an outside interface which has a default route. Workaround: None. Further Problem Description: This problem was introduced by ASA software version 9.3(3). PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2015-4321 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(1.50), 9.3(2.100), 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.32), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCuw32125 Title: ASA stacktrace in vpn client disconnect that had dACL applied Status: Fixed Severity: 3 Moderate Description: Symptom: On the console of an ASA, the following stacktrace is seen. Aug 12 14:54:50 10.0.7.81 %ASA-0-711001: -Traceback: 000000000042A63E 0000000001187B31 00000000011A7195 00000000011A75B3 00000000011AFBDD 00000000011B1738 0000000000531469 0000000000532D1E 0000000000540F86 0000000000531F1F 00000000004286D5 It decodes to the following: Version:arsenal/9.0.4.17 Image Type: asa Executable: smp Symbol File: smp.sort 000000000042A63E 0000000001187B31 00000000011A7195 00000000011A75B3 00000000011AFBDD 00000000011B1738 0000000000531469 0000000000532D1E 0000000000540F86 0000000000531F1F 00000000004286D5 The stack trace decode suggest that it occurs when a client disconnects that had a dACL applied. Conditions: ASA 5580-40 running version asa904-17-smp-k8 Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3), 100.16(1.6) Alert Type: Updated * Bug Id: CSCuw03407 Title: DHCPD Search domain shorter than 10 characters is corrupted Status: Fixed Severity: 3 Moderate Description: Symptom: When the ASA is acting as a DHCPD server, it may corrupt the DHCP OFFER and DHCP ACK packets if the domain name configured in the DHCPD section is shorter than 10 characters long. Conditions: This is seen when the DHCPD cofiguration has an interface specific DNS search suffix that is less than 10 characters long: dhcpd address 192.168.1.40-192.168.1.40 guest dhcpd dns 10.0.0.100 interface guest dhcpd domain abc.ca interface guest <<<<<<<<<<<<<<<< dhcpd enable guest This will result in the DNS search domain being sent out as a combination of the configured domain and 'cisco.com'. This can be checked using packet captures of the DHCP traffic. In the above example, the ASA will pad the configured domain with the letters from cisco.com to reach 'abc.caom'. Workaround: Do not configure this field or use a longer domain if feasible. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.99), 100.14(0.73), 100.15(0.26), 100.15(1.81), 100.15(16.3), 100.15(17.1), 100.15(3.49), 100.15(6.31), 100.15(8.13), 9.5(1.99) Alert Type: Updated * Bug Id: CSCut48571 Title: Incorrect cert chain sent to connecting IPSec clients Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA might not send the correct certificate chain to connecting IPSec clients. Conditions: This may occur if the ASA has more than one version (same DNs, but different public keys) of any one of the chain certificates in its configuration. Workaround: It may be possible to work around this by repositioning the affected certificates and trustpoints in the configuration Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.7), 100.14(3.5), 100.14(4.25) Alert Type: Updated * Bug Id: CSCuu13345 Title: Drop reasons missing from asp-drop capture Status: Fixed Severity: 3 Moderate Description: Symptom: Drop reasons missing from asp-drop capture. Conditions: Viewing capture with "show capture -or- Downloading via HTTP with https:///capture/ Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.0 Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.12(0.128), 100.13(0.77), 100.13(0.78), 100.13(21.15), 100.13(21.16), 100.14(0.27), 100.14(0.35), 100.14(10.23) Alert Type: Updated * Bug Id: CSCuv88898 Title: WEBVPN Rewriter: Stops mangling after hex code of Period on Bookmark URL Status: Fixed Severity: 3 Moderate Description: Symptom: When the hex code of the characters on a URL is used on the bookmark for Clientless webvpn, the URL mangling stops after the Hex equivalent of "period" is seen. For example : For http://www.cisco.com we use "http://www.cisco.com" The mangled URL looks like this https://ASA IP/+CSCO+0h756767633A2F2F6A6A6A++/.cisco.com The mangling stops at . which is the Hex equivalent for "period" Conditions: HEX code is used on the Bookmark URL Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.106), 100.14(0.76), 100.15(0.39), 100.15(17.14), 100.15(3.63), 100.15(8.16), 100.16(0.2), 100.16(1.3) Alert Type: Updated * Bug Id: CSCuw40468 Title: DHCP proxy overrites chosen DHCP server in multiple DHCP server scenario Status: Fixed Severity: 3 Moderate Description: Symptom: Anyconncet clients stop connecting to the ASA because they are no longer able to get an address from the DHCP server. Conditions: - multiple DHCP servers configured on the ASA - either DHCP server is behaving incorrectly where it sees the REQUEST (with the other server's IP) and still replies with an OFFER, or the OFFER was sent by the non-selected DHCP server before it sees the REQUEST Workaround: configure only one DHCP server Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.44), 100.15(17.18), 100.15(3.68), 100.15(8.17), 100.16(0.2), 100.16(1.5) Alert Type: Updated * Bug Id: CSCua32157 Title: Remove Code for Type 0 Routing Headers Status: Fixed Severity: 3 Moderate Description: Symptom: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.54), 100.15(8.14) Alert Type: Updated * Bug Id: CSCut67779 Title: Investigate impact of jumbo-frame reservation on low-end ASA platforms Status: Fixed Severity: 3 Moderate Description: Symptom: Low-end ASA models, like ASA5512-X or ASA5515-X may fail to boot if Jumbo frames are enabled (jumbo-frame reservation) and additional interface card, like ASA-IC-6GE-CU-A card is present in the chassis. Conditions: This issue was seen in 9.2(3) and 9.3(1) software. Workaround: Try to load 9.3(2) software, run "no jumbo-frame reservation" and reload. Further Problem Description: Even though 9.3(2) software boots up, the ASA cannot service ASDM connections if Jumbo frames are enabled. This happens due to low volume of free DMA memory. Use "show memory detail" command to check. Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuv72055 Title: Linux Kernel splice() System Call Parameters Validation Local Denial o Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-7822 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:TF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-7822 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 6.0, 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut69675 Title: Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. Status: Fixed Severity: 3 Moderate Description: Symptom: Radius Acct-Terminate-Cause for L2TP over IPSec session is incorrect. The value in Accounting-Request always be User-Request even if the disconnected reason is loss of service Note: The session-timeout,idle-timeout, etc. was covered by (CSCus88626), now in verified state. Conditions: none Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(7.23), 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(0.9), 100.14(1.7), 100.14(10.11) Alert Type: Updated * Bug Id: CSCut54218 Title: ASA tunnel-group"password-expire-in-days"not prompting a password change Status: Fixed Severity: 3 Moderate Description: Symptom: "password-expire-in-days" option of "password-management" is not prompting the users for password change Conditions: Use of anyconnect remote access and WebVPN tunnel-group "password-management" Workaround: Revert to version 9.3.1 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) Alert Type: Updated * Bug Id: CSCuu33321 Title: Two Dynamic PAT with and without block-allocation Status: Fixed Severity: 3 Moderate Description: Symptom: Was able to configure wrong NAT CLI Conditions: ASA allows Two or more dynamic PAT which has same Mapped address should have same "block-allocation" option either enable all disable all. Workaround: Delete and re add the wrong rule. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(6.29), 100.15(5.4) Known Fixed Releases: * 100.14(0.19), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35), 100.15(3.3), 100.15(4.5), 100.15(5.6) Alert Type: Updated * Bug Id: CSCuu48813 Title: WebVpn: portal is not displayed after re-login Status: Fixed Severity: 3 Moderate Description: Symptom: When logging in to webvpn after once logging out from it, ASA goes to access a different page than the portal. Conditions: It started to happen after 9.1(5)16 and up Workaround: 1. Roll back to 9.1(5), if acceptable. 2. Restart the browser after logging out and before logging-in again. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5.160), 9.1(5.190), 9.1(6) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut49724 Title: Corrupted host name may occur with DHCP Status: Fixed Severity: 3 Moderate Description: Symptom: Corrupted host name may occur with DHCP Conditions: Timing issue which can happen because the hostname pointer is shared by both webvpn and IP address subsystem. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuw36596 Title: GTP: Responses w/ cause != Request Accepted should not be dropped Status: Fixed Severity: 3 Moderate Description: Symptom: Reponses with a cause value which is not request accepted maybe dropped by the ASA. Conditions: This occurs when the request is not accepted by the receiver. Workaround: Configure permit-errors to allow the packet through. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4), 100.16(1.10), 9.5(1.170), 9.5(1.99) Alert Type: Updated * Bug Id: CSCuv62204 Title: "show ipv6 neighbor" command not available in system space Status: Fixed Severity: 3 Moderate Description: Symptom: "show ipv6 neighbor" command is not available in the system execution space Conditions: ASA in multiple mode. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.13(0.97), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30), 100.15(8.13), 9.4(1.107), 9.4(2) Alert Type: Updated * Bug Id: CSCux22635 Title: diameter inspection should be tied to GTP/Carrier license Status: Fixed Severity: 3 Moderate Description: Symptom: The class-map and policy-map clis are accepted even the Carrier license is disabled. Expected Behavior: ASA should not accept the config Conditions: ASA 9.5.2 image with Carier license disabled Workaround: Workaround Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.5(1.109) Known Fixed Releases: * 100.15(0.97), 100.15(8.35), 100.16(0.11), 100.16(1.50), 100.16(15.7), 9.5(1.111), 9.5(1.194), 9.5(2), 96.1(1.4), 96.1(6.1) Alert Type: Updated * Bug Id: CSCup89922 Title: ASA DNS lookups always prefer IPv6 response Status: Fixed Severity: 3 Moderate Description: Symptom: A DNS server configured on the ASA will always use IPv6 DNS requests (type=AAAA) if any of the interfaces are configured with IPv6. There is no way to prevent this behaviour, or make the ASA prefer and sending type=A requests. Conditions: This only occurs if IPv6 is enabled on any interface of the ASA, even if no Globally Unique Address is assigned. If IPv6 is enabled, then the ASA only makes Type=AAAA DNS requests. This will always result in an IPv6 DNS response, and potentially cause features that depend on DNS to fail (ie. Smart Call Home). Workaround: Disable all IPv6 addresses on the ASA. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(0.2), 9.1(1), 9.1(5) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuc16662 Title: HTML/Java File Browser- created file or folder shows 9 months offset Status: Fixed Severity: 3 Moderate Description: Symptom: Create a new folder or file on the FTP or CIFS server over webvpn, the date created shown has 9 months offset. Conditions: 1. Create a new folder or file on the FTP or CIFS server. 2. The date has 9 months offset. 3. Checked the date on the share server it looks fine. 4. Could be a display issue Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.3(1), 9.0(0.113) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuu08031 Title: ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ Status: Fixed Severity: 3 Moderate Description: Symptom: There is very big difference between tx-ring-limit 512 vs tx-ring-limit 511. More specifically we see that with tx-ring-limit 512 packets the LLQ traffic is having packet loss, while we don't see any Tail Drops for BE traffic. With tx-ring-limit 512, the bigger the average packet size for BE traffic, the bigger the packet loss for LLQ traffic. With tx-ring-limit 511 packets, LLQ traffic has no packet loss anymore while we start seeing many Tail Drops for BE traffic which is actually expected. Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(7.26) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut37042 Title: Secondary ASA stuck in config sync while upgrading to 8.4.x Status: Fixed Severity: 3 Moderate Description: Symptom: In a situation where we are doing a "zero-downtime upgrade" of the firewall from 8.2(5)48 to 8.4.x, we see the following repeated messages appear on the console of the secondary unit (the primary has not yet been upgraded). Even after waiting for several hours the logs keep on appearing. WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 10.0.0.0 255.0.0.0 eq 9998 log WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 172.20.0.0 255.252.0.0 eq 9998 log WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 192.168.0.0 255.255.0.0 eq 9998 log : : Conditions: While upgrading to 8.4(6) or 8.4(7)3 or 8.4(7)23. Workaround: The issue does not occur for standalone ASA. Manually upgrade (no zero-downtime upgrade) wherein we can arrange a downtime to upgrade the primary and secondary at the same time so that they don't get into syncing configuration. Further Problem Description: If we refer the flow towards getting these warning messages, it looks like this starts occurring when at the "replication" phase than the "upgrade" phase (upgrade occurs successfully). Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(6), 8.4(7), 8.4(7.230) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6) Alert Type: Updated * Bug Id: CSCui37201 Title: Misleading error msg for pat-pool with mapped object Status: Fixed Severity: 3 Moderate Description: Symptom: Wrong error message thrown while configuring dynamic PAT Conditions: Issue is seen with dynamic PAT. Workaround: None. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(2.5) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.56), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuu54660 Title: ASA Remote Access - Phase 1 terminated after xauth Status: Fixed Severity: 3 Moderate Description: Symptom: IPSEC remote access clients are intermittently not able to connect. The user is prompted for password and then the connection fails. From the ASA debugs we can see the Phase 1 and X-auth + config mode are passing fine. Then the ASA deletes the Phase 1, sends delete information to the client and discards QM1 packet sent by the client. Conditions: MacOS / iOS bult in IPSEC VPN client. Clients behind NAT. More detailed triggers unknown. Workaround: Reload the ASA. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuw82198 Title: Default inspection engines enabled on Standby but not on Active ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Standby ASA can have some default inspection engines running on custom contexts while the same are not enabled on the Active unit. Conditions: > Pair of ASA units running in Failover pair (Act/Stb or Act/Act) Steps to reproduce: > Load context configuration file ONLY into Primary ASA flash memory > Initialize the context on Primary configuring the context statements and point the config-url with the file loaded on the Primary flash > Run the "write mem all" or "write memory" on the context created > Check the file with the context config on the Secondary ASA flash using the command "more disk0:/ | b policy-map" > Default inspection engines should be displayed. Workaround: Running the "write standby" command on Active unit of affected context fixes the problem. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6.8), 9.4(1.6) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.86), 100.15(20.17), 100.15(8.29), 100.16(0.9), 100.16(1.34), 9.5(1.193), 9.5(1.99), 9.5(2) Alert Type: Updated * Bug Id: CSCuv13998 Title: ASA : Unable to save configuration or copy files on ASA flash Status: Fixed Severity: 3 Moderate Description: Symptom: Issues with copying or saving files on ASA flash instead of enough available space on flash Conditions: You must be reaching the limit of 255 files on the root directory Workaround: No workaround for this issue. NOTE:- Even after the upgrade to pick up the fix , ASA flash needs to be formatted for the changes to take effect. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.15(2.49) Known Fixed Releases: * 100.13(0.90), 100.14(0.68), 100.15(0.22), 100.15(1.43), 100.15(15.4), 100.15(2.76), 100.15(3.26), 100.15(4.25), 100.15(8.9), 9.4(1.99) Alert Type: Updated * Bug Id: CSCuw59382 Title: Rewriter errors when access IEEE website search feature through portal Status: Fixed Severity: 3 Moderate Description: Symptom: Search feature does not work when the following Internet page is opened through WebVPN: http://ieeexplore.ieee.org/Xplore/home.jsp Conditions: When the page is opened and any keyword is searched Workaround: Use smart-tunnel Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(2), 9.4(2.1), 9.5(0.191), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20) Alert Type: Updated * Bug Id: CSCuw08183 Title: ipAdEntNetMask is not gettable using snmpget with failover IP address Status: Fixed Severity: 3 Moderate Description: Symptom: The ipAdEntNetMask is not gettable using snmpget with failover IP address. Conditions: When try to get the ipAdEntNetMask value of failover interface using snmpget. Workaround: Use the snmpwalk for this value. Further Problem Description: none Last Modified: 14-JAN-2016 Known Affected Releases: 9.0(1), 9.0(4.35), 9.1(6.6) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCut75202 Title: PKI: potential pki session handle leak in IKEv2 L2L configurations Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA may become unable to establish certificate enabled LAN-to-LAN IKEv2 tunnels due to the exhaustion of pki session handles Conditions: In IKEv2/IPSec L2L configurations that are secured with digital certificates, the ASA may leak pki session handles as connections are established. This will only occur in rare conditions where both tunnel peers initiate the tunnel at effectively the same time. Connection failures will occur when 1000 session handles are either leaked or in use. Leaked handles can be recovered by rebooting the ASA. Workaround: The problem can be worked around by converting the LAN-to_LAN tunnel configurations to IKEv1 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuv86227 Title: ASA sending incorrect ACL hash for ASDM TopN ACL statistics on a cluster Status: Fixed Severity: 3 Moderate Description: Symptom: Error message under firewall dashboard "n/a config out of sync" for ASDM supporting ASA cluster. Conditions: Running ASA cluster on ASDM with threat detection statistics turned on. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.98), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13) Alert Type: Updated * Bug Id: CSCus14568 Title: seamless upgrade on spyker A floods error messages to both asa units Status: Fixed Severity: 3 Moderate Description: Symptom: The following error message floods the console of both the primary during step of a seamless upgrade operation from any build 9.3.1 or older to 9.3.2 and newer: Number of interfaces on Active and Standby are not consistent. If the problem persists, you should disable and re-enable failover on the Standby. Conditions: There is a phase in the seamless upgrade operation when the primary asa has a different image on it than the secondary. During this phase, a stream of debug messages will continually get generated to the console. It appears as though these messages are only a nuisance and they will subside once both units are returned to a state where they are both running the same image. The event stream is somewhat of a flood but not bad enough to prevent basic control of the seamless upgrade procedure. Workaround: No work around is needed because all operations remain functional throughout the process Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(1.24), 9.3(2) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.66), 100.15(16.1), 100.15(17.1), 100.15(3.35), 100.15(6.21), 100.15(8.12) Alert Type: Updated * Bug Id: CSCuv02304 Title: EEM action not executed on absolute time when NTP is configured Status: Fixed Severity: 3 Moderate Description: Symptom: EEM action is not executed on exact time of "absolute time" configured when NTP is configured. Command is executed with some delay or earlier than configured. On the following configuration, action should be executed on 10:30:00. But actually, it is not executed on time.(for example 10:29:58) event manager applet eem-test event timer absolute time 10:30:00 action 0 cli command "show xxxxx" output file new ntp server x.x.x.x Conditions: When NTP server is configured or if the clock time is changed. Workaround: Re-configure the EEM applet absolute timer if NTP is configured or the time is changed by any other means (e.g. via the 'clock set' command if NTP is disabled). This will cause the timer to be re-synced with the current clock time. Further Problem Description: The time difference is due to the internal clock drift. It is typically a few seconds. Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCub30181 Title: ASA doesn't set ACE inactive when time-range expires Status: Fixed Severity: 3 Moderate Description: Symptom: In some scenarios, after a time-range expires, an ASA does not mark the ACE as inactive. This causes traffic to be incorrectly permitted or denied after the time range is no longer valid. Conditions: This affects 8.4.1 - 8.4.4 version of ASA Workaround: Make any change to the ACL policy that will force it to re-apply the configuration. For example, move the start time of the time-range forward by 1 minute. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2012-3925 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.7(13.93), 8.4(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.115), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.4), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCuu18564 Title: ASA WebVPN : jQuery based Calendar table fails to load; Empty frame Status: Fixed Severity: 3 Moderate Description: Symptom: The Calendar Frame may not be displayed on the Web-page when accessed through the ASA's WebVPN portal. Conditions: ASA running on 9.3(3)1 acting as SSLVPN Server. Users access a site through the WebVPN portal, and this site contains a Calendar month displayed in a frame using jQuery JavaScript. Workaround: Use Smart-Tunnel feature Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.1) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCut64327 Title: L2TP/IPsec traffic dropped due to "vpn-overlap-conflict" Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrading the code from 911 to 912/916 l2tp/Ipsec users are not able to access inside resources. Inside hosts can reach connected l2tp/Ipsec client fine Set up: ******* 10.48.100.0/24-----[inside] ASA [outside]---------ISP---------------Site-to-Site-VPN-peer----10.48.0.0/16 ( contains multiple subnets in 10.48.x.0/24 range, so it has been summarized to /16) | | |------------------l2tp/ipsec-vpn user (10.48.252.128-10.48.252.254) NOTE: VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map a deny entry has been added. ************* access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0 access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0 ************* Presence of either of two ACE shown above causes the drop/"vpn-overlap-conflict", only removal of both fixes the traffic issue and l2tp/Ipsec client can reach inside resources fine. 'sh asp drop' shows huge increments in 'vpn-overlap-conflict' counter. Conditions: VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map; a deny entry has been added to static map ACL. access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0 //** Deny vpn pool access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0 //** site to site vpn ACE Workaround: Use a different range/subnet for RA users. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(1), 9.1(6) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuu00733 Title: ASA: ECMP stopped working after upgrade to 9.3.2 Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrade to 9.3.2, ASA for equal cost routes via the same interface: O IA 172.25.225.0 255.255.255.0 [110/4012] via 172.22.247.4, 12:12:19, outside [110/4012] via 172.22.247.3, 12:12:19, outside send most of the traffic via first (sometimes second) gateway, instead of load balancing. Conditions: Equal cost routes via the same interface on ASA Workaround: Downgrade to 9.3.1 Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.124), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Alert Type: Updated * Bug Id: CSCuv01022 Title: ASA:OSPF over L2L tunnels is not working with multiple cry map entries Status: Fixed Severity: 3 Moderate Description: Symptom: OSPF over L2L tunnels is not working. Routes are installed into OSPF database successfully, but they are absent in the main routing table. Conditions: Multiple crypto map sequences configured under single crypto map Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuv52750 Title: Cannot change "management-only" for port-channel interfaces on 5500-X Status: Fixed Severity: 3 Moderate Description: Symptom: Once a port-channel interface is created, its management-only setting cannot be changed (enabled or disabled, whatever the initial management-only setting was when the interface was created). The following error is shown if an attempt to change the setting is made: "It is not allowed to make changes to this option for management interface on this platform" This happens only with port-channel interfaces, and this behavior is not tied to the management-only state of the member interfaces. Conditions: 5500-X models, excluding 5585-X Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83), 100.15(3.30), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCuu92632 Title: ASA sets non-zero FA in OSPF for anyconnect redistrubuted network Status: Fixed Severity: 3 Moderate Description: Symptom: Re-distribution of anyconnect static routes on ASA 9.x doesn't work. The output of the command "show ospf database external" shows the forward address being set to non-zero/incorrect value. ciscoasa# show ospf database external 10.0.103.161 OSPF Router with ID (172.16.10.1) (Process ID 1) Type-5 AS External Link States LS age: 1503 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.0.103.161 (External Network Number ) Advertising Router: 172.16.10.1 LS Seq Number: 80000001 Checksum: 0xfff4 Length: 36 Network Mask:255.255.255.255 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 172.16.10.10 <---------------- External Route Tag: 0 Conditions: - ASA with OSPF enabled - redistributing Anyconnect VPN static addresses into OSPF - Anyconnect VPN terminates on the same interface where distribution is performed Workaround: Route redistributed network to the Null0 interface Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.15(0.20), 100.15(1.33), 100.15(10.3), 100.15(2.65), 100.15(3.16), 100.15(4.20) Alert Type: Updated * Bug Id: CSCus37840 Title: AnyConnect upgrade from AC 2.5 to AC 3.1 fails Status: Fixed Severity: 3 Moderate Description: Symptom: AnyConnect upgrades fail from 2.5.X to 3.1.Y. Conditions: ASA 9.2(1), AC upgrade from client 2.5.6005 to 3.1.5170. In general, any upgrades from AC 2.5 to 3.1 fail. Failure here means that the new version is not able to resume the tunnel initiated by the old version. The new version is still downloaded and installed. Workaround: None. Have client manually reconnect with the new version. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2 Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20) Alert Type: Updated * Bug Id: CSCuu61981 Title: http servershows as enable in running config while not Status: Fixed Severity: 3 Moderate Description: Symptom: When configuration command "http server enable" fails due to port usage conflict with AAA with error message ERROR: Port 443 is being used on interface public by an aaa authentication listener", the configuration is incorrectly updated to include "http server enable". Conditions: When configuration "http server enable [port-number] is attempted but the designated port is already in use (e.g., by AAA). Workaround: remove the conflict configuration before "http server enable" Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCut58935 Title: WebVPN: Tsweb fails to work through clientless portal Status: Fixed Severity: 3 Moderate Description: Symptom: TSweb access through clientless VPN may fail when using a customized TSWeb portal. Users will see a blank window instead of the server logon screen Conditions: ASA running 9.1.5.10 or later releases Workaround: Use the rdp plugin or smart-tunnel the terminal services client. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5.10), 9.1(5.19), 9.1(5.21), 9.2(2.4), 9.3(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuu93339 Title: Cisco ASA Poodle TLS Variant Status: Fixed Severity: 3 Moderate Description: Symptoms: Cisco ASA models 5506-X 5508-X and 5516-X include a version of SDK which is vulnerable to a variant of POODLE TLS where the first byte of the padding is not checked. Additional information about this issue can be found at: https://vivaldi.net/en-US/blogs/entry/there-are-more-poodles-in-the-forest Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There are no workaround for this issue other then disabling the affected feature. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C&version=2.0 CVE-2015-4595 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.2), 9.4(1.3) Known Fixed Releases: * 100.12(0.130), 100.13(0.81), 100.13(29.28), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54) Alert Type: Updated * Bug Id: CSCuu99349 Title: ASA-3-317012 and "No route to host" errors even though the route exists Status: Fixed Severity: 3 Moderate Description: Symptom: Certain sequence of configuration steps can lead to errors: %ASA-3-317012: Interface IP route counter negative - Management0/0 and No route to host when traffic is sent from the ASA to a remote IP address and a valid route exists to reach the destination. Conditions: This was found in transparent firewall mode in 9.3(2). Workaround: This is a rare situation. Reboot the ASA. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(19.1), 100.15(2.58) Alert Type: Updated * Bug Id: CSCuv72826 Title: object-group-search access-control enabled, nested object group issue Status: Fixed Severity: 3 Moderate Description: Symptom: asa denied traffic after moving an group object to another group object Conditions: object-group-search access-control enabled Workaround: reapply access-list to the interface Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6), 9.2(3), 9.4(1) Known Fixed Releases: * 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.56), 100.15(8.15), 100.16(0.2), 100.16(1.2) Alert Type: Updated * Bug Id: CSCuu75675 Title: kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250 Status: Fixed Severity: 3 Moderate Description: Symptom: For ASA5516, ASAOS supports 250 SSLVPN sessions, based on marketing data, it should increase to 300 sessions. Conditions: ASA5516 Workaround: none Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(19.1), 100.15(2.54), 100.15(3.9) Alert Type: Updated * Bug Id: CSCuv35243 Title: ASA: Not able to remove ACE with "log default" keyword Status: Fixed Severity: 3 Moderate Description: Symptom: ASA: Unable to remove ACE with "log default" keyword enabled Conditions: "log default" should be added at the end of the ACE Workaround: Do not use the "log default" keyword at the end of the ACE. In case of CSM , use the ACL Parameter as "traffic" rather than "speed" Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.66), 100.15(16.1), 100.15(17.1), 100.15(3.35), 100.15(6.22) Alert Type: Updated * Bug Id: CSCsl74827 Title: Error messages on console due to QoS configuration Status: Fixed Severity: 3 Moderate Description: Symptom: Due to QoS configuration on the ASA, errors like below might be seen on the console: Message #941 : ERROR: Problem with interface 8 Message #942 : ERROR: Problem with interface 9 Message #943 : ERROR: Problem with interface 10 It is believed that these errors are cosmetic, and do not indicate a problem with the operational state of the ASA. Conditions: QoS must be configured to encounter this problem Workaround: None known Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.0(2), 8.1(0.135), 9.4(1.3) Known Fixed Releases: * 100.11(0.63), 100.12(0.146), 100.13(0.100), 100.14(0.73), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuu18527 Title: ASA WebVPN: HTTP 302 Location URL rewritten incorrectly Status: Fixed Severity: 3 Moderate Description: Symptom: In some corner conditions, if the Backend Server responds with HTTP "302 Found" where in the Location URL the fqdn and the URI are not separated by "/", but are separated instead by a "?", ASA appends the same URI prefix as the one it got redirected from resulting in a "HTTP 404" condition. For example: Client Performs: GET /abcd/login.php Backend Server Responds with HTTP 302 Found: Location: http://server.company.com?email=bsg73kdpo1098 At this stage, ASA rewrites this HTTP header as: HTTP 302 Found: Location: http://server.company.com/abcd/?email=bsg73kdpo1098 Here, notice that the ASA appends /abcd/ from the original URI Conditions: ASA acting as Clientless SSLVPN Server, and the users access Intranet Websites through the WebVPN portal. The WebSites are served through ASA's Rewriter engine Workaround: Use Smart-Tunnel feature Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3.1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu81932 Title: ASA tunnel-group-map cannot contain spaces Status: Fixed Severity: 3 Moderate Description: Symptom: ASA can not use spaces in tunnel-group-map even though tunnel group can use it. Conditions: spaces are used in tunnel-group-map such as tunnel-group-map TEST 5 "TEST CISCO" Workaround: NOT use spaces at now Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu02635 Title: Remove demo and eval warning for sfr monitor-only Status: Fixed Severity: 3 Moderate Description: Symptom: A warning is produced when configuring the SFR module to monitor-only mode. Example: ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open monitor-only WARNING: Monitor-only mode should be used for demonstrations and evaluations only. This mode prevents SFR from denying or altering traffic. Conditions: This policy map sfr monitor-only mode is supported for production which makes the "should be used for demonstrations and evaluations only" incorrect and confusing. Workaround: None. Ignore the "should be used for demonstrations and evaluations only" portion of the warning. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuv90156 Title: All Remarks in ACLs are pushed to the end of each ACL after upgrade Status: Fixed Severity: 3 Moderate Description: Symptom: All remarks in a ACLs are bundled together and pushed to the end of each ACL after running an upgrade Conditions: This happens when the command "object-group-search access-control" is present in the configuration when you upgrade Workaround: Remove the "object-group-search access-control" command before the upgrade and re-apply it after the upgrade. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3, 9.4, 9.5 Known Fixed Releases: * 100.12(0.145), 100.13(0.98), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13), 9.4(1.107) Alert Type: Updated * Bug Id: CSCuu88548 Title: Ampersand (&) not encoded in packet tracer phase 'extra' field Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM is unable to run packet tracer when traffic traverses and interface with an ampersand (&) in the name. ASDM will show an error indicating 'Error while forming XML' Conditions: This is seen when the packet path traverses an interface with an ampersand character in the name. Workaround: Change the interface name to not include an ampersand. Further Problem Description: This is caused by the ASA not encoding the ampersand as & when generating the XML payload. You can verify you are hitting this issue by running the packet tracer command on the CLI and looking for an unencoded ampersand character. For example: ASA# packet-tracer input inside tcp 192.168.100.200 12345 10.10.0.100 80 xml ::output truncated:: 2 ROUTE-LOOKUP Resolve Egress Interface ALLOW found next-hop 10.10.10.254 using egress ifc DMZ&Servers <<<< Unencoded ampsersand Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu88607 Title: Doubling counting flow bytes for decrypted packets Status: Fixed Severity: 3 Moderate Description: Symptom: Some of statistics and syslogs related to flow bytes may be inflated due to the double counting of decrypted packets. Conditions: Traffic involving decrypted packets. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3 Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(5.20) Alert Type: Updated * Bug Id: CSCuu31281 Title: AAA Authorization HTTP sends username in password field of authorization Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM access may be denied to all users even if their passwords are correct, and they are in the correct groups for authorization. This occurs because after a change in asdm authorization in 9.4.1, administrators must configure a new command, "aaa authorization http console" to authorize HTTP/ASDM logins (this was not the case in pre-9.4 code). With that command entered, the ASA sends a second packet to the authentication server but the attempt causes a failure because the ASA puts the username in the password field of the packet. Conditions: - ASA 9.4.1 or greater - "aaa authorization http console aaa-group" configured for ASDM authorization - Has been observed with the LDAP protocol and the RADIUS protocol, but may apply to others as well Workaround: - Disable HTTP authorization by removing "aaa authorization http console" command from configuration (NOTE: This will allow all users to login to ASDM if their credentials are valid) - Downgrade to 9.3 or lower Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.76), 100.13(21.14), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35), 100.15(3.3) Alert Type: Updated * Bug Id: CSCut80316 Title: Ikev2 Session with bogus assigned IP address stays on ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Ikev2 EAP-TLS Connection with Win 8.1 Phone Conditions: Ikev2 EAP-TLS Connection with Win 8.1 Phone with continuous connect/disconnect Workaround: - Remove bogus externally assigned IP address to avoid issue /or - Wait for sometime before connecting again as address becomes available again Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.230) Known Fixed Releases: * 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCuu99902 Title: Saleen Alarm LED lit when BMC SEL log is full Status: Fixed Severity: 3 Moderate Description: Symptom: Alarm LED turned on Conditions: SEL in BMC is full Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.6(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCuu07308 Title: "ssh scopy enable" deleted from configuration Status: Fixed Severity: 3 Moderate Description: Symptom: "ssh scopy enable" deleted from configuration Conditions: Seen in multi context ASA ssh scopy enable is turned on. Command may be removed when making ASA system context changes. Confirmed command will disappear after deleting a context. Workaround: simply re-add command to configuration to continue use of ssh scopy Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuw88405 Title: BGP not working when admin context is in transparent mode Status: Fixed Severity: 3 Moderate Description: Symptom: BGP not working when admin context is in transparent mode Working: ! ciscoasa# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Transparent disk0:/admin.cfg USER1 default GigabitEthernet0/0 Transparent disk0:/USER1.txt USER2 default GigabitEthernet0/1 Routed disk0:/USER2.txt ! ciscoasa(config-router)# show run router router bgp 1 bgp log-neighbor-changes ! Non-working: ! ciscoasa# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Transparent disk0:/admin.cfg USER1 default GigabitEthernet0/0 Transparent disk0:/USER1.txt USER2 default GigabitEthernet0/1 Routed disk0:/USER2.txt ! ciscoasa(config)# router bg? ERROR: % Unrecognized command Conditions: When Admin is in transparent mode Workaround: Make admin in routed mode Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3 Known Fixed Releases: * 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.78), 100.15(20.14), 100.15(8.24), 100.16(0.8), 100.16(1.27), 9.5(1.99), 9.5(2) Alert Type: Updated * Bug Id: CSCuu73087 Title: Standalone AnyConnect fails to connect due to empty DAP user message Status: Fixed Severity: 3 Moderate Description: Symptom: Standalone AnyConnect client fails with the following message: 'The VPN configuration received from the secure gateway is invalid. Please contact your network administrator.' Conditions: 1) The AnyConnect client version 2.5.6005 or lower is referenced on the ASA. 2) The DAP record being hit - not the Default DAP record - has no user message. 3) ASA version is 9.3.2 and above. Workaround: 1) Configure a User Message for the DAP record. 2) Use the AnyConnect client version 3.0.x/3.1.x/4.x on the ASA. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2), 9.3(3.1), 9.4(1) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCur56038 Title: RPC error in request config after replicated a large configuration Status: Fixed Severity: 3 Moderate Description: Symptoms: RPC error when configuration is replicated in a cluster environment Conditions: ASA configured for firewall cluster Workaround: none PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.55), 100.11(0.57), 100.12(0.111), 100.12(0.118), 100.13(0.17), 100.13(0.58), 100.13(19.9), 100.13(21.11), 100.13(21.6), 100.14(0.1) Alert Type: Updated * Bug Id: CSCty36034 Title: ASA: Active/Active failover group stuck in Bulk Sync with SIP inspect Status: Fixed Severity: 3 Moderate Description: Symptom: Under rare conditions, an ASA Active/Active failover pair may show one of the failover groups stuck in the Bulk Sync state due to HA state progression failures. Conditions: The ASA must have SIP inspection enabled. Workaround: There is no known workaround at this time. Reloading both ASAs in the failover pair may clear the problem, but this is currently unconfirmed. Last Modified: 15-JAN-2016 Known Affected Releases: 8.2(5) Known Fixed Releases: * 100.7(13.62), 100.7(18.14), 100.7(20.4), 100.7(6.67), 100.8(0.87), 100.8(11.13), 100.8(24.42), 100.8(27.2), 100.9(0.1), 100.9(2.1) Alert Type: Updated * Bug Id: CSCux59851 Title: Anyconnect IKEv2 with Host Scan can't connect with SSL disabled Status: Fixed Severity: 3 Moderate Description: Symptom: Anyconnect is able to connect via IKEv2 with host scan enabled and SSL Access allowed. After disabling SSL access I can't connect and get the message "Posture Assessment Failed: Unable to get the available CSD version from the secure gateway." Conditions: Version 9.5.2 Workaround: 1. Downgrade to 9.5.1 2. Do an enable on the interface [ conf t-> webvpn -> enable ] Further Problem Description: Last Modified: 20-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.109), 100.16(0.19), 100.16(1.98), 96.1(1.52) Alert Type: Updated * Bug Id: CSCun32897 Title: Data path: ASA traceback in CTM message handler Status: Fixed Severity: 3 Moderate Description: Symptom: ASA crash Conditions: Large amount of IPSec based traffic when a crypto reset occurs. Workaround: None Further Problem Description: Last Modified: 20-JAN-2016 Known Affected Releases: 9.1(2) Known Fixed Releases: * 100.10(9.6), 100.11(0.2), 100.8(38.127), 100.8(40.65), 100.8(56.34), 100.8(63.2), 100.8(64.7), 100.8(65.4), 100.8(66.7), 9.0(4.8) Alert Type: Updated * Bug Id: CSCto36047 Title: ASA drops traffic due to vpn-user with no vpn filter applied Status: Terminated Severity: 3 Moderate Description: * Symptom: When traversing over IPsec VPN user traffic is dropped by access-list (vpn-filter) although none is configured. Conditions: First seen in ASA 8.3 as headend terminating ezvpn in client mode. Workaround: Reload the ASA to clear the situation. Further information To understand if you're affected by this bug following details need to be gathered: - trace detail capture from ingress and egress interface e.g. ------------ capture TRACE_INSIDE interface inside access-list MY_ACCESS_LIST packet 1512 trace detail ------------ perform the test and do : ------------ show capture TRACE_INSIDE trace detail ------------ - show uauath - Traffic capture in PCAP format - packet-tracer output for dropped flow Last Modified: 20-JAN-2016 Known Affected Releases: 8.3 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux65627 Title: 100G EPM traffic slowly ramp up to 80 Gbps for single blade Status: Open Severity: * 3 Moderate Description: Symptom: 100G EPM traffic slowly ramp up to 80 Gbps for single blade Conditions: Using 100G EPM only to run traffic Workaround: Use 8x10G on board ports instead. Further Problem Description: N/A Last Modified: 21-JAN-2016 Known Affected Releases: 96.1(1.24), 99.1(4.908) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux63770 Title: IPAA needs improved debugging - Part 2- add Syslogs 737034-737036 Status: Fixed Severity: 3 Moderate Description: Symptom: Hard to troubleshoot errors during DHCP assigning addresses with IPAA Conditions: Error path conditions Workaround: None Further Problem Description: Last Modified: 21-JAN-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.13(0.124), 100.15(0.109), 100.16(0.19), 9.0(4.212), 9.1(6.117), 96.1(1.53), 96.2(1.104) Alert Type: Updated * Bug Id: CSCux38633 Title: PLR: ASAv10 uses an ASAv30 entitlement Status: Open Severity: * 3 Moderate Description: Symptom: When licensing an ASAv with PLR after switching between ASAv models, an ASAv10 can sometimes reserve an ASAv30 license. Conditions: Begin with a licensed ASAv10 that is in PLR mode. Return the ASAv license entitlement Change the ASAv10 to an ASAv30 in the VMWare settings Load the ASAv30 Check the ASAv VM status by issuing 'show vm' to verify it is an ASAv30 Power down the ASAv30, and change settings back to an ASAv10 Check the ASAv VM status by issuing 'show vm' to verify it is an ASAv10 License the ASAv10 again with PLR. It sometimes reserves an ASAv30 license. Workaround: After changing models and booting up with a new model, reboot before issuing PLR commands. Return the PLR license and re-license. Further Problem Description: Last Modified: 22-JAN-2016 Known Affected Releases: 100.15(8.38) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux27028 Title: L2TP/IPSec fails with Multilink PPP enabled on Win client Status: Fixed Severity: 3 Moderate Description: Symptom: L2TP/IPSec fails with Multilink PPP enabled on Win client Conditions: ASA running version 9.4 and Multilink PPP setting is enabled on Windows Client. Workaround: Disable Multilink PPP on end client - 1. Open the Network Connections folder and view available connections. 2. Right-click the L2TP connection, and then click Properties. 3. On the Options tab, click PPP Settings. 4. Uncheck the Negotiate multi-link for single-link connections check box. Further Problem Description: Last Modified: 24-JAN-2016 Known Affected Releases: 9.4(1.5) Known Fixed Releases: * 100.13(0.125), 100.15(0.110), 100.16(0.20), 96.1(1.52), 96.2(1.104) Alert Type: Updated * Bug Id: CSCux41876 Title: ASA IPSEC crypto map set df-bit copy-df/clear-df does not take effect Status: Fixed Severity: 3 Moderate Description: Symptom: The change of "df-bit" setting in crypto map is not taking effect. The global setting is used. E.g.: show run all | inc df-bit crypto ipsec df-bit copy-df inside crypto ipsec df-bit copy-df outside crypto map vpnmap 1 set df-bit clear-df show crypto ipsec sa Crypto map tag: vpnmap, seq num: 1, local addr: 203.0.113.1 ... PMTU time remaining (sec): 0, DF policy: copy-df OR show run | inc df-bit crypto ipsec df-bit clear-df outside crypto map vpnmap 1 set df-bit copy-df show crypto ipsec sa Crypto map tag: vpnmap, seq num: 1, local addr: 203.0.113.1 ... PMTU time remaining (sec): 0, DF policy: clear-df Conditions: - L2L VPN on ASA. - Different df-bit setting is needed for different tunnels in the same crypto map, sourced from the same interface. Workaround: No workaround - the only option is to use the same global setting for all the tunnels. Further Problem Description: crypto map set df-bit options do not take effect. Instead global ipsec configuration for an interface is considered for choosing DF policy. This behavior has been modified so that crypto map settings are given preference over global ipsec configuration. In other words, if crypto map is configured with df-bit setting, then it will override the global IPsec configuration. If neither, global or crypto map are configured, then, same as earlier, copy-df bit will be used. Last Modified: 24-JAN-2016 Known Affected Releases: 9.0(2), 9.2(3.4), 9.3(2), 9.5(2) Known Fixed Releases: * 100.13(0.125), 100.15(0.110), 100.16(0.20), 96.1(1.52), 96.2(1.104) Alert Type: Updated * Bug Id: CSCux98333 Title: Global inspection policy is getting deleted during APIC audit Status: Fixed Severity: 3 Moderate Description: * Symptom: Global inspection policy is getting deleted during APIC audit process Conditions: Configure Global inspection policy using OOB configuration Workaround: The work around is to rename default policy-map from "global_policy" to "global_app_inspect_policy" as shown below. ======================== policy-map global_policy class inspection_default inspect dns preset_dns_map ... service-policy global_policy global ------------------------------------------- policy-map global_app_inspect_policy class inspection_default inspect dns preset_dns_map .... service-policy global_app_inspect_policy global Further Problem Description: Last Modified: 27-JAN-2016 Known Affected Releases: 1.2(3.11) Known Fixed Releases: Alert Type: New Bug Id: CSCux99061 Title: ASA - SSH keys lost after reload on selected contexts Status: Open Severity: 3 Moderate Description: Symptom: Unable to SSH to device after reload. Crypto keys (e.g. used for SSH connection) are gone after reload on selected contexts; keys on other contexts are saved properly. Conditions: Multiple context mode. Workaround: Connect to ASA in alternative way (console, telnet or ASDM) and generate new keys. Further Problem Description: Last Modified: 26-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux86065 Title: Delete PDP Context Response should not be dropped if TEID is NULL Status: Fixed Severity: 3 Moderate Description: Symptom: A Delete PDP Context Response could be dropped by the ASA with the following syslog: %ASA-3-324001: GTPv1 packet parsing error for message Delete PDP Context Res from outside:12.0.0.2/2123 to inside:10.0.0.2/23451, TEID: 0x00000000, Reason: Null TID Conditions: When the GSN cannot find the corresponding PDP context to process the Delete Request. Workaround: Further Problem Description: Last Modified: 27-JAN-2016 Known Affected Releases: 9.5(1.172) Known Fixed Releases: * 9.5(1.176), 96.1(1.58), 96.2(1.109) Alert Type: Updated * Bug Id: CSCuv35050 Title: ASA - slow NFSv3 transfer with sunrpc inspection Status: Fixed Severity: 3 Moderate Description: Symptom: ASA 9.1.x - slow NFSv3 transfer. Conditions: ASA running 9.1.x with sunrpc inspection enabled. Workaround: Disable inspection or configure TCP state bypass, decrease sunrcp timeout to much lower value so that secondary data connection times out. Further Problem Description: Last Modified: 28-JAN-2016 Known Affected Releases: 9.1(3) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.112), 96.1(1.34), 96.1(6.9) Alert Type: Updated * Bug Id: CSCux99214 Title: ASA5516 SSD reports incorrect OID in Entity MIB Status: Open Severity: 3 Moderate Description: * Symptom: Wrong OID returned for ASA5516 SSD in Entity MIB Conditions: Workaround: Further Problem Description: Last Modified: 28-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux14935 Title: AnyConnect profile updates are not deployed properly against ASA-9.5.2 Status: Fixed Severity: 3 Moderate Description: Symptom: AnyConnect profile updates are not deployed properly against ASA-9.5.1 Conditions: ASA-9.5.1.101 Workaround: Downgrade ASA version - 9.4.1 in my case Further Problem Description: Last Modified: 29-JAN-2016 Known Affected Releases: 9.5(1.101) Known Fixed Releases: * 100.15(0.94), 100.15(8.33), 100.16(0.10), 100.16(1.44), 100.16(14.1), 100.16(15.5), 9.5(1.107), 9.5(1.193), 9.5(2) Alert Type: Updated * Bug Id: CSCux90740 Title: "backup" command does not include anyconnect client profile files Status: Fixed Severity: 3 Moderate Description: Symptom: "backup" command via CLI does not contain AnyConnect client profile files. Conditions: backup ASA configuration via CLI Workaround: Backup ASA configuration via ASDM Further Problem Description: Last Modified: 31-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.13(0.127) Alert Type: Updated * Bug Id: CSCus08552 Title: show traffic protocol stats show large counter values-enhanced pkt stats Status: Fixed Severity: 3 Moderate Description: Symptom: show traffic protocol statistics show huge counter values after enhanced packet stats are enabled . Conditions: After enhanced packet statistics are enabled with the command "sysopt traffic detailed-statistics", some of the counter values arevery large as displayed wiht "show traffic" command. Workaround: None Further Problem Description: Last Modified: 31-JAN-2016 Known Affected Releases: 100.12(0.101), 9.3(1.108) Known Fixed Releases: * 100.13(0.127), 96.1(1.59), 96.2(1.110) Alert Type: Updated * Bug Id: CSCua71298 Title: Help arp in context shows arp permit-nonconnected Status: Fixed Severity: 4 Minor Description: Symptom: Help arp in admin and user contexts shows arp permit-nonconnected entry, which is only available in system context. Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.114), 100.14(0.79), 100.15(0.56), 100.15(17.24), 100.15(3.77), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCua66518 Title: Help arp SYNTAX section misses "permit-nonconnected" entry Status: Fixed Severity: 4 Minor Description: Symptom: Help arp misses permit-nonconnected entry in SYNTAX section. Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(4), 8.4(4.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.13(0.121), 100.14(0.83), 100.14(0.84), 100.15(0.87), 100.15(0.90), 100.15(20.17), 100.15(20.18) Alert Type: Updated * Bug Id: CSCuu88297 Title: SSP ASA OS reports incorrect sysObjectID value / reports it's a ASA5585 Status: Fixed Severity: 4 Minor Description: Symptom: The FirePower ASA blade reports an incorrect sysObject ID value, where it reports itself as an multicontext ASA5585. Conditions: All Workaround: None Further Problem Description: With the fix for CSCuu88297, and once the new CISCO-PRODUCTS-MIB is available in August, 2015, the sysObjectOID will be one of the following: CISCO-PRODUCTS-MIB::ciscoFpr9000SM24 CISCO-PRODUCTS-MIB::ciscoFpr9000SM36 Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1.80) Known Fixed Releases: * 100.14(0.63), 100.14(7.41), 100.15(1.33), 100.15(10.4), 100.15(6.4), 9.5(1.99), 9.5(2) Alert Type: Updated * Bug Id: CSCty30899 Title: fqdn command option is removed when deleting RSA key Status: Fixed Severity: 4 Minor Description: Symptom: If both fqdn and keypair commands are configured in trustpoint, and RSA key which is associated with the trustpoint is removed by crypto key zeroize, fqdn command's option is unexpectedly removed and remains blank. Conditions: Both fqdn and keypair commands are configured in trustpoint. Workaround: Reconfigure fqdn command with option in trustpoint configuration mode. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.2, 8.4 Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.18), 100.14(26.7), 100.14(3.6), 100.14(4.26) Alert Type: Updated * Bug Id: CSCuq09430 Title: ASA "debug webvpn anyconnect 255" not showing empty certificate issue Status: Fixed Severity: 4 Minor Description: Symptom: "debug webvpn anyconnect 255" should be much more in situations of empty certificate being sent Conditions: Empty cert sent Workaround: Troubleshoot the problem using capture on different end. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.65), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13), 100.14(6.9), 100.14(7.8) Alert Type: Updated * Bug Id: CSCuv96380 Title: Failover uptime sync failure Status: Fixed Severity: 4 Minor Description: Symptom: ASAs running in Failover, Failover up time doesn't sync up to match on both the ASAs. Conditions: ASAs in failover with huge number of contexts in a multicontext setup.(108 context in my setup) Workaround: N/A Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(4), 9.1(4.5), 9.1(6) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.77), 100.15(0.36), 100.15(17.12), 100.15(3.61), 100.15(8.15), 100.16(0.2), 100.16(1.2) Alert Type: Updated * Bug Id: CSCuv62112 Title: show version and show tech show "BIOS Flash unknown" Status: Fixed Severity: 4 Minor Description: Symptom: You may see "BIOS Flash unknown @ 0x0, 0KB" in the show version and show tech outputs Conditions: Affects ASA5506 appliances. Looking for bios flash information in show version or show tech output. Workaround: None Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.53), 100.15(15.15), 100.15(16.1), 100.15(2.83), 100.15(3.32), 100.15(6.19) Alert Type: New Bug Id: CSCux67036 Title: ROMMON CLI for accessing FPGA SPI Flash in KilburnPark Status: Open Severity: 4 Minor Description: Symptom:N/A Conditions:Workaround:More Info:This is a HW development debugging feature only. Last Modified: 04-JAN-2016 Known Affected Releases: 0.1(0) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtr84992 Title: Possible to add multiple identical lines under certificate maps Status: Fixed Severity: 4 Minor Description: Symptom: Identical config lines are allowed under crypto ca map Conditions: ASA 8.4.1 with crypto ca map Workaround: remove them manually Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.8(50.40), 8.4, 8.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.135), 100.13(0.88), 100.14(0.67), 100.15(0.21), 100.15(1.37), 100.15(10.4), 100.15(15.2), 100.15(2.75), 100.15(4.23) Alert Type: Updated * Bug Id: CSCty02525 Title: Last transaction time in 'show aaa-server' cmd changes. Status: Fixed Severity: 4 Minor Description: # Release-note Symptom: Last transaction time in the output of 'show aaa-server' command changes by a single seccond. Conditions: none. Workaround: none. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.2(0), 8.4 Known Fixed Releases: * 100.13(0.67), 100.13(21.13), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41), 100.14(5.13), 100.14(6.11), 100.14(7.12) Alert Type: Updated * Bug Id: CSCuo65775 Title: Cisco ASA Information Disclosure Vulnerability Status: Fixed Severity: 4 Minor Description: Symptom: A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to disclose sensitive data. This information could be used for reconnaissance attacks. The vulnerability is due to insufficient protections of sensitive data before authentication with the AnyConnect client. An attacker could exploit this vulnerability by attempting to authenticate to the device with AnyConnect which could disclose the sensitive information. Conditions: Device running with default configuration running an affected version of software using the AnyConnect client. The AnyConnect client can be running any version of software. Workaround: None. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2016-1295 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 27-JAN-2016 Known Affected Releases: * 8.4, 9.1, 9.3, 9.4 Known Fixed Releases: 100.11(0.47), 100.12(0.48), 100.12(6.7), 100.13(0.3), 100.13(11.2), 100.13(12.3), 100.13(13.1), 100.13(14.2), 100.13(15.1), 100.13(16.1) Alert Type: Updated * Bug Id: CSCuw75736 Title: ASA 9.4 - The source of CoA packet does not match tunnel-group config Status: Fixed Severity: 4 Minor Description: Symptom: -- change in configuration order resulted in failed CoA NAK, with the following error: "The source of CoA packet does not match tunnel-group config." Conditions: non-working configuration ====================== sh run aaa- aaa-server ACCT protocol radius accounting-mode simultaneous interim-accounting-update reactivation-mode timed aaa-server ACCT (inside) host 172.16.1.13 key ***** aaa-server ACCT (inside) host 172.16.1.14 key ***** aaa-server ISE protocol radius authorize-only interim-accounting-update dynamic-authorization aaa-server ISE (inside) host 172.16.1.13 key ***** Workaround: working configuration ====================== sh run aaa- aaa-server ISE protocol radius authorize-only interim-accounting-update dynamic-authorization aaa-server ISE (inside) host 172.16.1.13 key ***** aaa-server ACCT protocol radius accounting-mode simultaneous interim-accounting-update reactivation-mode timed aaa-server ACCT (inside) host 172.16.1.13 key ***** aaa-server ACCT (inside) host 172.16.1.14 key ***** Further Problem Description: N/A Last Modified: 31-JAN-2016 Known Affected Releases: 9.4(1.5) Known Fixed Releases: * 100.13(0.127), 96.1(1.58), 96.2(1.110) Alert Type: Updated * Bug Id: CSCuv29505 Title: EEM Action Sometimes Executed Multiple Times Status: Fixed Severity: 4 Minor Description: Symptom: Sometimes an event manager absolute time (time-of-day) applet can run multiple times. Conditions: NTP is configured, or the system clock has been manually modified. Workaround: None Further Problem Description: This happens if the actual system time-of-day is earlier than the configured absolute time when the event manager applet runs. When that happens, the applet is then re-armed and will execute again that day at the expected time. The applet execution time can get out-of-sync due to automatic time adjustments done by NTP, or if the system clock is manually changed via the "clock set" CLI command. The fix for CSCuv02304 "EEM action not executed on absolute time when NTP is configured" reduced the likelihood of this happening, but there is still a possibility that it could occur. Last Modified: 14-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.133), 100.13(0.85), 100.14(0.66), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62), 100.15(3.16), 100.15(4.20), 100.15(5.23) Alert Type: Updated * Bug Id: CSCur42057 Title: Smart Licensing: License config warning needs message classification Status: Fixed Severity: 4 Minor Description: Symptom: Incomplete smart licensing config will be reported as an error by ASDM. Conditions: User configures only one part of smart licensing. There are two parts: feature tier and throughput. If the user specifies only one and then exits, the message that is displayed will be interpreted as an error by ASDM. Workaround: Configure both parts of smart licensing before exiting smart licensing config. Further Problem Description: This should be displayed as a warning by ASDM. The code should be modified to prepend "WARNING:" so that ASDM properly displays it as a warning. Last Modified: 25-JAN-2016 Known Affected Releases: 100.12(6.24) Known Fixed Releases: * 100.16(0.20), 96.1(1.56), 96.2(1.107) Alert Type: Updated * Bug Id: CSCuv93976 Title: NTP: Standby ASA sends NTP with source 0.0.0.0 if standby ip not set Status: Fixed Severity: 4 Minor Description: Symptom: A standby ASA in a failover pair may send NTP packets with a source IP of 0.0.0.0 if the interface those packets would normally leave from does not have a standby ip configured. Conditions: This is seen in failover deployments where the NTP server facing interfaces does not have a standby IP in its configuration. Workaround: Configure the standby ip address for that interface. Further Problem Description: Last Modified: 24-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.13(0.125), 100.15(0.110), 100.16(0.20), 96.1(1.53), 96.2(1.104) Alert Type: Updated * Bug Id: CSCux26909 Title: Doc: ASA5506 does not support Time-based Security Plus license Status: Fixed Severity: 4 Minor Description: * Symptom: This is a bug being opened for documentation update. ASA5506 does not support Time-based Security Plus license. This information needs to be updated on the applicable ASA5506/Licensing Docs: Release 9.3: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-license.html Release 9.4: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/intro-license.html Conditions: ASA5506 Security Plus time-based license Workaround: N/A Further Problem Description: Last Modified: 13-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtl51881 Title: Error not generated w/ duplicate ACE entry when containing object-group Status: Open Severity: 4 Minor Description: * Symptom: If duplicate ACE entry containing object-group is added, ASA doesn't generate Error for duplicate ACE. Error/warning message should be generated for invalid entry. Conditions: Duplicate ACE entry with object-group is added to ASA. Workaround: none. Last Modified: 20-JAN-2016 Known Affected Releases: * 8.0(5.22), 8.2(4.1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCsi39394 Title: FO: Need to surpress the below messages on the standby Status: Open Severity: * 4 Minor Description: Symptom: The Standby unit does not supress all error messages that are depicted on the active ASA Conditions: Issuing specific commands on the active Failover unit may display some error messages on the standby unit Workaround: NA Further Problem Description: Last Modified: 19-JAN-2016 Known Affected Releases: 8.0(0.248) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur31916 Title: Possible DoS from libxml2 entity parsing (CVE-2014-3660) Status: Other Severity: 4 Minor Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3660 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3660 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut12172 Title: Unable to observe any DHCP lease information using the show command Status: Open Severity: * 4 Minor Description: Symptom: Customer is unable to observe any lease information using the "show ip address dhcp lease" command on the ASA. Conditions: The customer has a failover setup and the AC clients are connected to the ASA. There are 2 DHCP servers in the setup. When customer executed bulk sync on the ASA's, the customer was unable to observe any lease information on the console for the show command. Workaround: None. Further Problem Description: The problem details are available in the case SR 633070885 (http://www-tac.cisco.com/Teams/ks/c3/casekwery.php?Case=633070885&noheader=1) Last Modified: 17-JAN-2016 Known Affected Releases: 9.1(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv29083 Title: ASA packet-tracer shows wrong output with PBR and policy NAT Status: Open Severity: 5 Cosmetic Description: * Symptom: - Consider topology where ASA has two default routes (e.g. one primary ISP, one backup ISP). - Furthermore on ASA there is policy NAT configured for the backup ISP. - On ASA there is PBR configured for specific traffic which 'forces' it to select the backup link. - The real traffic is indeed routed based on PBR to backup ISP bypassing the route lookup. - The packet-tracer output though shows that the traffic is routed based on route lookup which is wrong. - The same applies for capture with trace detail option. It shows wrong egress interface (ISP1 instead of ISP2) - The trigger for this packet-tracer misbehavior is the policy NAT configuration. Conditions: ASA has policy NAT configured that uses service as condition e.g. nat (inside,NET2) source static obj-10.0.0.1 interface service UDP_69 UDP_69 Workaround: Further Problem Description: Last Modified: 08-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux81063 Title: ASA: Incorrect counters in show resource usage output Status: Open Severity: 5 Cosmetic Description: * Symptom: ASA shows incorrect counter in show resource usage output. Conditions: ASA in multiple context with resource class configured for a specific ASA context. Workaround: None at this time. Further Problem Description: Last Modified: 13-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuc02113 Title: ISAKMP debugs display incorrect Message ID and length data Status: Fixed Severity: 5 Cosmetic Description: Symptom: ISAKMP debugs display the MessageID and Length values incorrectly in the BEFORE ENCRYPTION section when sending a packet. Conditions: Cisco ASA running release 7.2.4 or 8.2.5. ISAKMP debugs are enabled at level 255. Workaround: Use "capture type isakmp interface " Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 7.2(4), 8.2(5.31) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.22), 100.14(7.21), 100.15(0.9) Alert Type: Updated * Bug Id: CSCum67159 Title: ENH : Unclear warning while enabling AC essentials license Status: Fixed Severity: 5 Cosmetic Description: Symptom: When a key with anyconnect license enabled is activated, the warning message is not clear enough to understand that the clientless webvpn and hostscan features will not work anymore as the anyconnect-essentials gets configured under the webvpn configuration. Below is the message that comes up on cli as of now. ASA# activation 0xdf1cc57f 0x94835e6a 0x3d4271bc 0xe0900464 0x$ Validating activation key. This may take a few minutes... ********************************************************************** WARNING: AnyConnect Essentials license active. Basic VPN support is in effect. For specific details, please refer to Cisco AnyConnect VPN Client Administrator Guide. ********************************************************************** The Warning should be extended to let the administrator know that: Anyconnect essentials gets enabled under this part of the configuration: webvpn anyconnect-essentials Conditions: 1. Activating license key which has anyconnect essentials enabled on an ASA that acts as AnyConnect, Clientless SSLVPN Server with/without CSD. 2. Use CLI to activate the license. Workaround: If Clientless SSLVPN and CSD functionalities are required, we would need to disable "anyconnect-essentials" manually: webvpn no anyconnect-essentials Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(4) Known Fixed Releases: * 100.12(0.132), 100.13(0.84), 100.14(0.64), 100.14(16.2), 100.14(5.24), 100.14(7.46), 100.15(1.34), 100.15(2.73), 100.15(3.17), 100.15(4.23) Alert Type: Updated * Bug Id: CSCua66557 Title: arp permit-nonconnected not indented in help arp multiplei mode Status: Fixed Severity: 5 Cosmetic Description: Symptom: Help arp in multiple mode has incorrect indentation for "arp permit-nonconnected" entry. Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30) Alert Type: Updated * Bug Id: CSCus22893 Title: Extra space after newline in some syslogs Status: Fixed Severity: 5 Cosmetic Description: Symptom: There is an extra whitespace character after the newline character in syslogs: 733104 733105 734001 717012 717011 717010 717009 717008 717007 717006 717005 717004 717003 Conditions: This is seen in all versions of ASA code. Refer to the bug details for more information on fixed version. Workaround: None, this is purely cosmetic. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5), 9.2(3), 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Alert Type: Updated * Bug Id: CSCuu99716 Title: CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex 1st/last entries should be 0 Status: Fixed Severity: 5 Cosmetic Description: Symptom: The first and last entries in the CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex table are '1'. They should be zero. Conditions: all Workaround: none Further Problem Description: The first entry corresponds to the context-average. The last entry corresponds to the system average. Since these represent more than one physical entity and are not represented in the ENTITY-MIB, according to the definition of the cpmCPUTotalPhysicalIndex from CISCO-PROCESS-MIB.my, the values for cpmCPUTotalPhysicslIndex should be zero. Last Modified: 14-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.14(0.51), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.17), 100.15(1.24), 100.15(2.57), 100.15(3.12), 100.15(5.20), 100.15(8.5) Alert Type: New Bug Id: CSCuy05878 Title: ASA: dir command should allow for pipe commands Status: Open Severity: 6 Enhancement Description: Symptom: On the ASA, the directory command "dir" is not able to use the pipe command "|". This enhancement is a request to be able to use the pipe command to be able to filter out info. Conditions: ASA firewall and using the directory command from the CLI. Workaround: You can use the pipe with "show flash". Example: show flash | inc filename Further Problem Description: Last Modified: 30-JAN-2016 Known Affected Releases: 9.5(2), 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtz82865 Title: SNMP MIB: Equivalent of "show xlate count" command Status: Fixed Severity: 6 Enhancement Description: Symptom: Need SNMP MIB support to allow polling to get the equivalent to the "show xlate count" command. Conditions: Cisco ASA running release 8.4.4 with SNMP enabled. Workaround: None. Additional Information: Will add cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OID's to support xlate_count and max_xlate_count. Last Modified: 31-JAN-2016 Known Affected Releases: 100.7(6.77), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.127), 100.13(0.58), 100.13(28.2), 100.13(29.28), 100.14(0.13), 100.14(0.5), 100.14(1.4), 100.14(10.23) Alert Type: Updated * Bug Id: CSCuv83951 Title: ASA webvpn: Citrix SSO for Storefront 2.6 does not work Status: Fixed Severity: 6 Enhancement Description: Symptom: SSO for Citrix Storefront 2.6 does not work. This is an enhancement request to support the same. Conditions: Using SSO for Storefront version 2.6 Workaround: none Further Problem Description: Last Modified: 29-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.16(1.16), 100.16(14.1), 96.1(1.54), 96.1(1.57) Alert Type: Updated * Bug Id: CSCus79188 Title: Support SHA2/TLS 1.2 in 9.1.x code for ASA Benetton platforms Status: Terminated Severity: 6 Enhancement Description: * Symptom: Support SHA2/TLS 1.2 in 9.1 Code Conditions: SHA2 support was introduced in ASA 9.3.2 code, however, 9.1 is the last version that runs on the 5510,5520, 5540, and 5550 platforms. This is an enhancement request to support SHA2 in 9.1. Workaround: None Further Problem Description: The cavium crypto hardware in the 5510, 5520, 5540, and 5550 models do not support TLSv1.1 or TLSv1.2 Last Modified: 28-JAN-2016 Known Affected Releases: 9.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw03419 Title: SPYD PIM BSR 1K mcast group UDP 64B PPS is 50% more lower than no PIM Status: Open Severity: * 6 Enhancement Description: Symptom: SPYD PIM BSR UDP 64B PPS is 50% lower than without PIM Conditions: -Topology: Source-RP-router-(inside)ASA(outside)-destination client. Workaround: Do not use PIM Further Problem Description: N/A Last Modified: 27-JAN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux96525 Title: Need to support "cut-through" SGT use-case Status: Fixed Severity: 6 Enhancement Description: Symptom: ASA lacks the capability to propagate untagged SGT packets as untagged while at the same time propagating tagged packets as tagged. Conditions: All Workaround: Noe Further Problem Description: Last Modified: 27-JAN-2016 Known Affected Releases: EVERCLEAR Known Fixed Releases: * 96.2(1.109) Alert Type: Updated * Bug Id: CSCuq58646 Title: L2 cluster slave unit exiting cluster while sending multicast traffic Status: Open Severity: * 6 Enhancement Description: Symptom: L2 cluster slave unit exiting cluster while sending multicast traffic Conditions: send ixia traffic directly to ASA Workaround: Further Problem Description: Last Modified: 27-JAN-2016 Known Affected Releases: 100.12(10.32), 9.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux46195 Title: Hyperlite Support for SD Card Status: Fixed Severity: 6 Enhancement Description: Symptom: SD Card Play and Play would not work. SD card plag and play would work fine in all other devices with HW Version greater or equal to 2.1 Conditions: Cisco SKU (ISA3000-4C, ISA3000-2C2F) with HW Version less than 2.1 as seen in output "show modules". Workaround: None. Box needs to be RMA-ed so that SD card Microcontroller firmware can be upgraded. Further Problem Description: Last Modified: 26-JAN-2016 Known Affected Releases: 100.15(21.12) Known Fixed Releases: * 96.1(1.28), 96.1(1.57), 96.1(5.2), 96.1(5.3), 96.2(1.107) Alert Type: Updated * Bug Id: CSCsu46132 Title: AD msNPAllowDialin to be set without ldap-attrib-map for VPN access ctrl Status: Open Severity: 6 Enhancement Description: * Symptom:Enhance the ASA to automatically trigger the control of VPN remote access, when the Active Directory Dial-in remote Acces VPN attribute (msNPAllowDialin) is received the during an LDAP authentication/authorization exchange,; without the need for an ldap-mapping such as in http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1661796. Conditions: Workaround:None..Use the LDAP-attribute-mapping mechanism to control authorization attributes from AD/LDAP. Further Problem Description: Last Modified: 26-JAN-2016 Known Affected Releases: * 8.0, 8.1, 8.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux55274 Title: ASA Syslog: log for reacching some percent of license usage Status: Open Severity: 6 Enhancement Description: * Symptom: ASA platforms Conditions: Using licensees that are countable Workaround: none Further Problem Description: Last Modified: 20-JAN-2016 Known Affected Releases: 8.4(7), 9.0(1), 9.1(6), 9.2(1), 9.4(1) Known Fixed Releases: Alert Type: New Bug Id: CSCux87646 Title: DOC: ASA Data Sheets Max Scansafe connection limit Status: Open Severity: 6 Enhancement Description: Symptom: Data sheet does not contain hard-coded Max Scansafe connection limit for ASA units ASA5505 2000 ASA5510 10000 ASA5520 20000 ASA5540 40000 ASA5550 50000 ASA5580 100000 5585-SSP10 200000 5585-SSP20 400000 5585-SSP40 400000 5585-SSP60 400000 ASA5515 20000 ASA5525 100000 ASA5545 150000 ASA5555 200000 Conditions: - Workaround: - Further Problem Description: Last Modified: 17-JAN-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv71763 Title: ASAv does not increment broadcast packet count Status: Open Severity: * 6 Enhancement Description: Symptom: The "broadcasts" counter is not getting incremented correctly in the ASAV "show interface" command Conditions: Only occurs on virtual platforms, first observed on 9.3.2 Workaround: None Further Problem Description: Last Modified: 15-JAN-2016 Known Affected Releases: 100.14(5.26), 9.3(2), 9.4(1.200) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuq38206 Title: ENH: ASA show tech should include 'dir all-filesystems' Status: Fixed Severity: 6 Enhancement Description: Symptom: Enhancement to add 'dir all-filesystems' to show tech output Conditions: n/a Workaround: n/a Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCus19373 Title: IPv4 connected & Local route addition & deletion at mgmt-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCuu22517 Title: ASA - SNMPv3 Traps not Generated for PC Link State in Multi-Context Mode Status: Fixed Severity: 6 Enhancement Description: Symptom: On an ASA running in multi-context mode with port-channels allocated to individual contexts, SNMP traps will not be generated when member interfaces of the port-channel go down although the following syslogs are seen in the context itself: %ASA-6-426002: PORT-CHANNEL:Interface GigabitEthernet0/2 unbundled from EtherChannel interface Port-channel1 %ASA-6-426001: PORT-CHANNEL:Interface GigabitEthernet0/2 bundled into EtherChannel interface Port-channel1 Conditions: 1. Must be using an ASA in multi-context mode 2. Must have port-channels allocated to contexts with at least two member interfaces 3. Must be attempting to monitor the status of the member interfaces via SNMPv3 within the context Workaround: it is possible to generate traps via the syslogs by using the 'snmp-server enable traps syslog' in conjunction with the 'logging history informational' command, however this causes a very large amount of traps to be generated. There is an ongoing investigation to determine if there are other, more suitable workarounds. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 9.1(5), 9.2(2.4) Known Fixed Releases: * 100.12(0.146), 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.3), 100.15(3.50), 100.15(6.33), 100.15(8.13) Alert Type: Updated * Bug Id: CSCui69677 Title: SNMP: ENTITY-SENSOR-MIB returns wrong values for 5585 Status: Fixed Severity: 6 Enhancement Description: Symptom: Some of the ENTITY-SENSOR-MIB OID's return the wrong values for the 5585. Particularly for Power supply input and sensors it returns entPhySensorType as truthvalue for all 4. For the Power supply Fan sensor, this should be rpm Conditions: Cisco ASA running release 8.4.6. Workaround: None. Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.4(6) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.55), 100.13(21.10), 100.14(0.13), 100.14(0.4), 100.14(1.4), 100.14(10.23), 100.14(10.8), 100.14(11.8) Alert Type: Updated * Bug Id: CSCus43455 Title: ASA IPV6 Policy-Based Routing (PBR) support Status: Fixed Severity: 6 Enhancement Description: Symptom: ASA doesn't support IPV6 Policy-Based Routing (PBR) Conditions: - Workaround: - Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.14(4.2), 9.1 Known Fixed Releases: * 100.14(0.13), 100.14(10.23), 100.14(4.1), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2), 100.15(2.26) Alert Type: Updated * Bug Id: CSCus07884 Title: Cli's for management-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCus33123 Title: NP Table changes for management-only interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path route Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCus32313 Title: IPv4 Route addition and deletion through EIGRP on management interface Status: Fixed Severity: 6 Enhancement Description: Symptom: mgmt traffic using data path rout Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 100.13(0.8) Known Fixed Releases: * 100.13(27.1), 100.14(0.13), 100.14(10.23), 100.14(4.9), 100.14(5.15), 100.14(6.11), 100.14(7.12), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCta36873 Title: BTF: DNS query response with EDNS0 option does not get added to DNSRC Status: Fixed Severity: 6 Enhancement Description: <B>Symptom:</B> When DNS snooping is enabled with the Botnet Traffic Filter feature, it is supposed to watch for DNS query response packets that come through the ASA, and add it to the DNS Reverse Cache (DNSRC). An issue was found in which if the DNS query response packet has additional Resource Record (RR) with EDNS0 option used, the ASA would pass the DNS query response packet through BUT does not add it to the DNSRC. This mechanism would cause the Botnet Traffic Filter not being able to flag the malicious traffic for the domain names that is in the A record response. When this issue is seen, a 'debug dynamic-filter dns-snooping' would print "rr off end". <B>Conditions:</B> DNS snooping is enabled. <B>Workaround:</B> None Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2013-5520 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: 8.2 Known Fixed Releases: * 100.14(0.13), 100.14(10.23), 100.14(2.3), 100.14(5.15), 100.14(6.4), 100.14(7.7), 100.15(0.11), 100.15(1.12), 100.15(1.2), 100.15(2.26) Alert Type: Updated * Bug Id: CSCua55270 Title: Issue warning when executing 'write standby' command on active firewall Status: Fixed Severity: 6 Enhancement Description: Symptom: There is confusion over the functionality of the 'write standby' command and its impact to a failover pair. Many believe that it 'saves' the config on the standby device. This is not the case. This bug is to track a possible change/warning that could be displayed when issuing 'write standby'. ASA/act# write standby NOTE: 'write standby' forces a complete re-replication of the configuration from the Active unit to the Standby unit. It does not save the configuration to the startup configuration on the Standby unit. To save the configuration changes to the startup configuration on the Standby, simply use the 'copy running-config startup-config' command or 'write memory' on the Active unit. The command will be replicated to the peer unit and the configuration saved to the startup configuration on both devices. Conditions: Workaround: Further Problem Description: Last Modified: 14-JAN-2016 Known Affected Releases: 8.0(4), 8.2(5), 8.4(4), 9.0 Known Fixed Releases: * 100.14(0.30), 100.14(10.23), 100.14(5.17), 100.14(7.34), 100.15(0.13), 100.15(1.15), 100.15(2.47), 100.15(3.6), 100.15(4.10), 100.15(5.12) Alert Type: Updated * Bug Id: CSCuv10516 Title: Security alert:Python JSON Module Vulnerability Status: Open Severity: 6 Enhancement Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-4616 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-4616 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 14-JAN-2016 Known Affected Releases: * 1.1(2), 1.1(3), 1.1(4), 6.0, 9.5(2), 9.5(2.200), 99.1, 99.1(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCub34054 Title: L2 Clustering:OSPFv2, Eigrp and OSPFv3 RIB not replicated to slave node Status: Open Severity: 6 Enhancement Description: Symptom: Master unit may not always sync OSPFv2, EIGRP, and OSPFv3 RIB to Slave unit. Conditions: ASA Cluster configuration Workaround: When table is not in sync, clear routing process/neighbor for sync to occur from Master to Slave . Further Problem Description: Last Modified: 13-JAN-2016 Known Affected Releases: * 100.12(10.45), 100.12(8.16), 100.12(8.23), 100.16(1.64), 100.8(0.217), 8.3, 9.0(1), 9.3(0.101) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus85257 Title: ASA Connector - Provide Higher Layer Health Checks for CWS Tower Status: Open Severity: 6 Enhancement Description: Symptom: The ASA may not failover to the backup CWS tower when the CWS tower is in a degraded state but remains responsive to ASA TCP health checks. This may cause traffic interruption in the network environment when the ASA continues to redirect web traffic to the degraded tower. This is an enhancement request to provide more granular health checking between the ASA and the CWS tower. Conditions: This can occur if the CWS tower is degraded (not down) but is still able to complete the 3-way TCP handshake with the CWS tower. Workaround: Manually point the ASA to the backup CWS tower Further Problem Description: Last Modified: 13-JAN-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 9.2(3.160), 9.2(3.161) Alert Type: Updated * Bug Id: CSCux13150 Title: ASDM: Backup/Restore does not work with policy-map global_policy Status: Open Severity: * 6 Enhancement Description: Symptom: When part of default inspection setting is removed from global_policy, backup/restore does not work with it. For example, when "inspect esmtp" is disabled on policy-map global_policy and backup/restore configuration after that, "inspect esmtp" is enabled. In backup, configuration is like following. policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp <<<--- inspect esmtp was disabled inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options But after restoring from backup, "inspect esmtp" is enabled though configured "no inspect esmtp". It is not only the case with esmtp but also others like tftp or ip-options or anything. Conditions: Workaround: Manually disable these inspection setting after restoring Further Problem Description: Last Modified: 08-JAN-2016 Known Affected Releases: 9.2(0) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux74953 Title: DHCP-Proxy leases shouldn't be renewed during a failover Status: Open Severity: * 6 Enhancement Description: * Symptom: During an Active/Standby failover event ,all DHCP-Proxy leases are renewed by the new active ASA.This is not desireable since this may cause ASA and DHCP performance/IP allocation issues. Request:The standby ASA must keep track of leases so when it becomes active all leases are known and therefore without need to renew possible 1000s of leases , for example in the case of the ASA servicing 1000s of VPN Clients with DHCP address assignment. Conditions: Active/Standby Failover and DHCP-Proxy address assignment. Workaround: None Further Problem Description: Last Modified: 07-JAN-2016 Known Affected Releases: 9.0(4), 9.0(4.213), 9.1(6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCsv29942 Title: .NET framework is not working with non-web application/smart-tunnel-list Status: Open Severity: 6 Enhancement Description: * Symptom: Specific homegrown .NET framework application is not working with webvpn- smartunnel: config for non-web applications (smart-tunnel-list) . Conditions: ASA running 8.0.3.9 or any 8.x code or 9.x code Homegrown .NET framework application is used, user start the application from the start menu. Webvpn-smartunnel: config for non-web applications (smart-tunnel-list) is configured Auto-start Smart Tunnels is configured in the group policy using "exe" .exe and app.exe Workaround: The use of the Anyconnect client should be used to access .NET framework applications. Further Problem Description: Last Modified: 07-JAN-2016 Known Affected Releases: * 8.0(3.9), 9.1(6) Known Fixed Releases: Alert Type: New Bug Id: CSCux74639 Title: ENH: Add support for SHA-2 certificate with ASA as local CA Status: Open Severity: 6 Enhancement Description: Symptom: Cisco ASA configured for Local CA server Conditions: Cisco ASA 5500-X series firewall running code 9.5.2 Workaround: None Further Problem Description: Last Modified: 06-JAN-2016 Known Affected Releases: 9.5(2.240) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux40506 Title: * Unable to launch OSx 10.11 Citrix desktop on Citrix Receiver 12 Status: Other Severity: 6 Enhancement Description: Symptom: Unable to launch Citrix desktop on Citrix Receiver 12 Conditions: Launching a Citrix client to a Citrix server through webvpn Workaround: none Further Problem Description: Last Modified: 04-JAN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Find additional information in Bug Search index.   2015 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks