Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Jun-2016 16:44 GMT

Feedback Sign Up Unsubscribe         Security Advisories & Responses - ASA 5500-X Series Firewalls Title: Multiple Cisco Products libSRTP Denial of Service Vulnerability Description: Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol (SRTP) library (libSRTP), which addresses a denial of service (DoS) vulnerability. Multiple Cisco products incorporate a vulnerable version of the libSRTP library. The vulnerability is in the encryption processing subsystem of libSRTP and could allow an unauthenticated, remote attacker to trigger a DoS condition. The vulnerability is due to improper input validation of certain fields of SRTP packets. An attacker could exploit this vulnerability by sending a crafted SRTP packet designed to trigger the issue to an affected device. The impact of this vulnerability on Cisco products may vary depending on the affected product. Details about the impact on each product are outlined in the "Conditions" section of each Cisco bug for this vulnerability. The bug IDs are listed at the top of this advisory and in the table in "Vulnerable Products." This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp Date: 10-MAY-2016 Title: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability Description: A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike Date: 18-MAY-2016 Find additional information in Cisco Security Advisories & Responses Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 09-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Interim Alert Type: New File File Name: asa952-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 31-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-11-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-MAY-2016 Alert Type: Obsolete File File Name: asa941-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. Obsolete Date: 10-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.5.21 Alert Type: New File File Name: asa-device-pkg-1.2.5.21.zip File Description: Cisco ASA Device Package 1.2(5.21) for Cisco APIC 1.3(1g) File Release Date: 03-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.5.21 Alert Type: New File File Name: asa-device-pkg-1.2.5.21.zip File Description: Cisco ASA Device Package 1.2(5.21) for Cisco APIC 1.3(1g) File Release Date: 03-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.5.21 Alert Type: New File File Name: asa-device-pkg-1.2.5.21.zip File Description: Cisco ASA Device Package 1.2(5.21) for Cisco APIC 1.3(1g) File Release Date: 03-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-11-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-MAY-2016 Alert Type: Obsolete File File Name: asa941-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. Obsolete Date: 10-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Interim Alert Type: New File File Name: asa952-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 31-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 09-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.5.21 Alert Type: New File File Name: asa-device-pkg-1.2.5.21.zip File Description: Cisco ASA Device Package 1.2(5.21) for Cisco APIC 1.3(1g) File Release Date: 03-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.5.21 Alert Type: New File File Name: asa-device-pkg-1.2.5.21.zip File Description: Cisco ASA Device Package 1.2(5.21) for Cisco APIC 1.3(1g) File Release Date: 03-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.5.21 Alert Type: New File File Name: asa-device-pkg-1.2.5.21.zip File Description: Cisco ASA Device Package 1.2(5.21) for Cisco APIC 1.3(1g) File Release Date: 03-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 09-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Interim Alert Type: New File File Name: asa952-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 31-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: Obsolete File File Name: asa941-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. Obsolete Date: 10-MAY-2016 Alert Type: New File File Name: asa941-11-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-11-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-MAY-2016 Alert Type: Obsolete File File Name: asa941-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. Obsolete Date: 10-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 09-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Interim Alert Type: New File File Name: asa952-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 31-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-11-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-MAY-2016 Alert Type: Obsolete File File Name: asa941-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. Obsolete Date: 10-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Interim Alert Type: New File File Name: asa952-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 31-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 09-MAY-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 09-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.1 Interim Alert Type: New File File Name: asa941-11-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-MAY-2016 Alert Type: Obsolete File File Name: asa941-8-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. Obsolete Date: 10-MAY-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Interim Alert Type: New File File Name: asa952-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 31-MAY-2016 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Firewalls Alert Type: Updated * Bug Id: CSCuv20449 Title: Traceback in Thread Name: ssh when using capture or continuous ping Status: Fixed Severity: * 1 Catastrophic Description: Symptom: ASA Traceback in Thread Name: ssh Conditions: The crash happens when a rare condition is hit when two things are happening simultaneously. They are: 1. An interruptible command is in progress in a SSH session. Examples are ping, traceroute, real-time captures etc. 2. ASA and SSH Client are in process of rekeying the SSH connection. This rekey would normally take place approximately after every 60 minute period in an SSH session. Workaround: Avoid running interruptible commands in a SSH session which has been active for over 50 minutes. Further Problem Description: Last Modified: 23-MAY-2016 Known Affected Releases: * 9.1(6), 9.1(6.1), 9.1(6.4), 9.4(1), 9.5(2.232) Known Fixed Releases: 100.11(0.67), 100.12(0.156), 100.13(0.127), 100.15(0.112), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171), 9.3(3.8), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuq24404 Title: traceback in thread name: netfs_thread_init Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA5585 reloads in Thread Name: netfs_thread_init Conditions: ASA5585 running 9.0.4.20 with file browsing through clientless webvpn. Workaround: None Further Problem Description: Last Modified: 29-MAY-2016 Known Affected Releases: 9.0(4.20) Known Fixed Releases: * 100.11(0.42), 100.12(0.31), 100.12(10.21), 100.12(15.8), 100.12(21.1), 100.12(6.2), 100.12(9.9), 100.8(40.82), 9.0(4.200), 9.0(4.21) Alert Type: Updated * Bug Id: CSCuz67596 Title: ASA may Traceback with Thread Name: Unicorn Admin Handler Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA may Traceback with Thread Name: Unicorn Admin Handler Conditions: ASA cluster Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.2(4.11), 96.2(0.34), 96.2(11.17), 97.1(0.17), 97.1(1.44), 97.1(3.8), 97.1(9.3) Alert Type: New Bug Id: CSCuz47295 Title: ASA: Page fault Traceback in Crypto CA server Status: Open Severity: 2 Severe Description: Symptom: ASA may generate a Traceback in unicorn proxy thread . Conditions: unknown Workaround: none as of now Further Problem Description: Last Modified: 02-MAY-2016 Known Affected Releases: 9.5(2.2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur24053 Title: ASA Generated Traceback in DATAPATH-0-1271 During XLate Timeout Status: Terminated Severity: 2 Severe Description: * Symptom: The ASA may generate a traceback and reload in the DATAPATH thread due to a page fault while expiring xlates Conditions: 1. Crash observed on ASA version 9.1(5) but may affect other versions as well 2. Must be performing NAT on the ASA so that it is creating and expiring xlates Workaround: There are currently no known workarounds Further Problem Description: Last Modified: 02-MAY-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: New Bug Id: CSCuz54523 Title: L2TP-over-IPSec clients connecting to ASAv unable to pass traffic Status: Open Severity: 2 Severe Description: Symptom: L2TP-over-IPSec clients connecting to ASAv unable to pass traffic Conditions: L2TP-IPSec clients connecting to an ASA cannot access internal resources, not even via icmp. Logs on the ASA show the following message: %ASA-6-602101: PMTU-D packet 60 bytes greater than effective mtu 65522, dest_addr=10.24.61.201, src_addr=10.24.60.192, prot=icmp Issue is not seen on ASAv using Cisco VPN Client or Anyconnect using the same config. Issue also not seen on Hardware ASA such as ASA5510 & 5515. Workaround: None Further Problem Description: Last Modified: 05-MAY-2016 Known Affected Releases: 9.5(2.200) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux96716 Title: * Traceback when unit joins cluster Status: Fixed Severity: 2 Severe Description: Symptom: Traceback seen when a node is added back to cluster Conditions: NAT64 configured in a user context and traffic is sent to hit the NAT configuration. With the NAT configuration disable cluster in the ASA and enable it to rejoin the cluster causes the crash. Workaround: Avoid NAT configuration in clustering/HA environment Further Problem Description: Last Modified: 10-MAY-2016 Known Affected Releases: 100.15(0.87), 96.1(1.54) Known Fixed Releases: * 100.15(0.114), 9.5(2.210), 9.5(2.7), 9.6(0.99), 9.6(1.1), 96.1(1.65), 96.1(1.88), 96.2(1.118), 96.2(1.175), 96.2(11.6) Alert Type: Updated * Bug Id: CSCuy21206 Title: * Traceback when drop is enabled with diameter inspection and tls-proxy Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash while replicating flow Conditions: Configure NAT in ASA which is part of clustering. While an xlate is created, then xlate is updated to the other cluster units, which triggers this crash. Workaround: Avoid NAT configuration in clustering/HA environment Further Problem Description: Last Modified: 10-MAY-2016 Known Affected Releases: 96.1(1.68) Known Fixed Releases: * 100.15(0.114), 9.5(2.210), 9.5(2.7), 9.6(0.99), 9.6(1), 96.1(1.74), 96.1(1.88), 96.2(1.124), 96.2(1.175), 96.2(11.6) Alert Type: Updated * Bug Id: CSCtq57752 Title: ASA: IPSec outbound SA data lifetime rekey fails Status: Fixed Severity: 2 Severe Description: * Symptom: IPSec outbound SA fails to rekey when data lifetime reaches zero kB. Conditions: ASA has an IPSec tunnel with a remote peer. The data lifetime on the ASA reaches 0 kB, the lifetime in seconds has not yet expired. Workaround: Increase the data lifetime to a very high value (or even the maximum value), or decrease the lifetime in seconds. The lifetime in seconds should ideally expire before the data limit in kB reaches zero. In this manner the rekey will be triggered based on seconds, and the data lifetime issue can be bypassed. Last Modified: 12-MAY-2016 Known Affected Releases: 100.7(13.39), 8.4(2.240), 8.6(0) Known Fixed Releases: 100.7(13.40), 100.7(14.32), 100.7(17.5), 100.7(18.4), 100.7(6.48), 100.8(0.35), 100.8(11.2), 100.8(15.11), 100.8(17.8), 100.8(19.27) Alert Type: Updated * Bug Id: CSCuw17930 Title: Improper S2S IPSec Datapath Selection for Remote Overlapping Networks Status: Fixed Severity: 2 Severe Description: Symptom: Traffic may be sent to a wrong tunnel when overlapping Conditions: - S2S IPSec VPN - Remote network which partially overlaps Workaround: Removing and re-applying crypto map to the interface when issue is happening or deny statement on the crypto map for part of the network which overlaps Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.0(4), 9.1(5.21), 9.1(6.8) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.41), 100.15(17.15), 100.15(3.64), 100.15(8.16), 100.16(0.2), 100.16(1.4) Alert Type: Updated * Bug Id: CSCuu06081 Title: ASAv licesing enforcement should not be CLI parser based Status: Fixed Severity: 2 Severe Description: Symptom: ASAv doesn't accept CLI commands without proper license in place. Conditions: NA Workaround: Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2), 100.16(1.2), 9.4(1.203), 9.5(1.201), 9.5(1.99) Alert Type: Updated * Bug Id: CSCuw86069 Title: ASAv Cannot remove/change default global_policy or inspection_default Status: Fixed Severity: 2 Severe Description: Symptom: default global_policy and inspection_default class-map are always added back to the configuration after reload Conditions: have ASAv running 9.4.1.200 perform the following commands; enable config terminal policy-map global_policy class inspection_default no inspect esmtp end write memory reload And you will see the configuration inspect esmtp is back. This happens for all inspect commands and if you remove the global_policy itself. Workaround: if you need to make adjustments to the default inspections being applied you will need to create a new policy-map/class-map configuration and apply it to service-policy global. this will allow you to change which inspections are used. Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.4(1.200) Known Fixed Releases: * 100.14(0.82), 100.15(0.82), 100.15(20.15), 100.15(8.28), 100.16(0.8), 100.16(1.30), 100.16(14.1), 9.5(1.99), 9.5(2), 9.6(0.99) Alert Type: Updated * Bug Id: CSCux09765 Title: ASA is sending RTP traffic to different snort engines Status: Fixed Severity: 2 Severe Description: Symptom: In some cases pinholes are not created for RTP connections established by calls using the SIP protocol, which prevents the VOIP channel creation for the SIP call Conditions: When SIP traffic redirected to snort/ngfw Workaround: NONE Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 99.1(3.193) Known Fixed Releases: * 100.15(0.105), 100.15(0.112), 100.16(0.15), 100.16(1.73), 100.16(12.2), 100.16(14.1), 9.6(0.99), 9.6(1), 96.1(1.20), 96.1(1.59) Alert Type: Updated * Bug Id: CSCuw19671 Title: ASA traceback while restoring backup configuration from ASDM Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes in Thread Name: Unicorn Admin Handler while restoring backup configuration through ASDM. Conditions: ASA in failover running 9.4(1). Workaround: Further Problem Description: None Last Modified: 16-MAY-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.99), 100.16(0.12), 100.16(1.53), 100.16(14.1), 100.16(15.7), 100.8(40.107) Alert Type: Updated * Bug Id: CSCuv92371 Title: ASA traceback: SSH Thread: many users logged in and dACLs being modified Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may reload when multiple users are logged into the ASA running show commands and the ACLs are being added/deleted Conditions: This was observed under the following condition 1) there were multiple users logged into the ASA 2) One user was trying to run show running-config or show access-list 3) downloadable ACLs were being added and removed based on user logins in auth proxy Workaround: If show access-list issued on one session don't issue "clear config access-list " from another session, let the "sh access-list" display all elements from that session Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(2), 9.1(6), 9.3(2), 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.111), 100.14(0.78), 100.15(0.50), 100.15(17.21), 100.15(3.72), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCuw22130 Title: ASA traceback when removing dynamic PAT statement from cluster Status: Fixed Severity: 2 Severe Description: Symptom: Master ASA in clustering running code 9.3.3.2 presented a DATAPATH-1-1958 resulted by Address not mapped fault. Statement removed was: no nat (visitors,outside) source dynamic Guest_network PAT-Guest-Pool Conditions: > ASA running code 9.3.3.2 > Individual (L3) mode > Removing Dynamic PAT rule Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.15(8.33), 100.16(0.10), 100.16(1.50), 100.16(14.1) Alert Type: Updated * Bug Id: CSCut40770 Title: Interface TLV to SFR is corrupt when frame is longer than 2048 bytes Status: Fixed Severity: 2 Severe Description: Symptom: Some configured ASA interfaces missing or not displayed from Firesight Management Center Conditions: Interface TLV ethernet frame greater than 2048 bytes. Usually occurs with multiple interfaces and sub-interfaces configured with lengthy names for each interface. Workaround: Enable jumbo-frame reservation on ASA. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(1.221), 9.4(2) Known Fixed Releases: * 100.11(0.64), 100.11(0.67), 100.12(0.153), 100.12(0.156), 100.13(0.119), 100.13(0.127), 100.14(0.82), 100.15(0.112), 100.15(0.80), 100.15(20.14) Alert Type: Updated * Bug Id: CSCuv47191 Title: 9.5.1 - Crash in bcm_esw_init thread Status: Fixed Severity: 2 Severe Description: Symptom: The ASA crashed in the bcm_esw_init thread and reloaded during boot. Conditions: This crash was seen while booting a 5585-60. Workaround: None. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.5(0.108), 96.1(1.31) Known Fixed Releases: * 100.13(0.129), 100.15(0.112), 9.4(2.101), 9.4(3), 9.5(2.7), 9.6(0.99), 9.6(1), 96.1(1.73), 96.2(1.123) Alert Type: Updated * Bug Id: CSCuu82229 Title: ikev2 with DH 19 and above fails to pass traffic after phase2 rekey Status: Fixed Severity: 2 Severe Description: Symptom: after rekey fails to pass traffic Conditions: after rekey using DH 19 or above Workaround: use lower DH (1,2,5,14) Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.4, 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.113), 100.14(0.79), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.1), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuv87760 Title: Unicorn proxy thread traceback with RAMFS processing Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in Unicorn Proxy Thread while using WebVPN. Conditions: Cisco ASA running release 9.3.3.223 with WebVPN enabled. Workaround: None. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.2(4), 9.3(3), 9.3(3.223), 9.4(1.112), 9.4(1.5) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.14(5.34), 100.15(0.32), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15) Alert Type: Updated * Bug Id: CSCtz98516 Title: Observed Traceback in SNMP while querying GET BULK for 'xlate count' Status: Fixed Severity: 2 Severe Description: Symptom: An ASA firewall may crash when being polled by SNMP in rare circumstances. Conditions: This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID: 1.3.6.1.4.1.9.10.77.1.2.1 Workaround: Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the OID's being polled by your SNMP monitor station to not include the affected OIDs. Last Modified: 16-MAY-2016 Known Affected Releases: 100.7(22.1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.12(0.156), 100.13(0.127), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9) Alert Type: Updated * Bug Id: CSCuv87150 Title: ASA traceback in Thread Name: fover_parse (ak47/ramfs) Status: Fixed Severity: 2 Severe Description: Symptom: ASA 5525 running version 9.5(1) crashing in Thread Name: fover_parse (ramfs) Conditions: ASA is in failover pair. Workaround: No workaround Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.4(1.5), 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.14(5.34), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3) Alert Type: Updated * Bug Id: CSCuw22886 Title: Split-tunnel not working for EzVPN client on Kenton device (9.5.1) Status: Fixed Severity: 2 Severe Description: * Symptom: Ezvpn client connects however Split tunnel will not be applied. Conditions: Using ASA5506 Kenton with ASA code 9.5.1 Workaround: none Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2), 100.16(1.2), 9.5(1.99), 9.5(2) Alert Type: Updated * Bug Id: CSCuv21478 Title: Cisco ASA tunnel group parameter validation Status: Fixed Severity: 2 Severe Description: Symptoms: Cisco ASA configured for webvpn does not perform validation of the of the tgroup paramter. In some cases this can be used to pass additional parameters to the internal resources that are being proxied via the webvpn service. Conditions: Clientless SSL VPN should be configured Workaround: None Further Problem Description: This is not an issue on the ASA itself, however additional hardening have been implemented to avoid this problem. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 16-MAY-2016 Known Affected Releases: 8.4(2), 8.4(7.2), 8.4(7.27), 8.4(7.28), 9.3(1) Known Fixed Releases: * 100.11(0.63), 100.11(0.64), 100.12(0.150), 100.12(0.151), 100.13(0.111), 100.13(0.114), 100.14(0.78), 100.14(0.79), 100.15(0.50), 100.15(0.56) Alert Type: Updated * Bug Id: CSCus16416 Title: Share licenses are not activated on failover pair after power cycle Status: Fixed Severity: 2 Severe Description: Symptom: The Share/Combine licenses are not activated on failover pair after power cycle the failover pair. Both active and standby units turns off power and boots up the standby unit only, the Shared/Combined licenses on standby unit will be lost. Conditions: Failover environments. Workaround: Execute once the 'reload command' on failover pair. Further Problem Description: None Last Modified: 16-MAY-2016 Known Affected Releases: 9.0, 9.1(5.19) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(14.1), 100.16(15.1), 100.16(15.5) Alert Type: Updated * Bug Id: CSCuw16607 Title: ASA EIGRP does not send poison reverse for neighbors to remove route Status: Fixed Severity: 2 Severe Description: Symptom: When redistributing a static route from the ASA and then learning a better route for the same route., redistributing ASA is not sending poison reverse towards neighbors. Causing neighbors to have stale topology entries on the EIGRP topology table, this sometimes causes routing to not take the correct path, Conditions: Example: R1 ----{BGP }--- R2---{EIGRP}----ASA-----R3 R1 is advertising a defualt route via BGP to R2. R2 is redistributing the default route from BGP into EIGRP ASA has a floating AD 180 default route that is redistributing into EIGRP towards R2. When BGP goes out the ASA's route is advertised to the network, but when BGP route is learned again, ASA removes the floating static from routing table thus not advertising anymore the static towards R2. The problem is that R2 still holds the topology entry for the floating static because ASA is never sending the poison reverse message marking the route with infinite metric so that R2 removes it from the topology table. This sometimes causes the BGP route to take over until the redistribution from the ASA is removed and reapplied. This can also be seen if the floating static route is deleted from the ASA, R1 still keeps the topology entry for that route even though it does not exist on the ASA anymore. This happens in 9.1.6 8.4.7 and 8.2.5 Workaround: Remove redistribution from ASA and add it again. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.0, 9.1(1.3) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.80), 100.15(0.64), 100.15(17.28), 100.15(19.3), 100.15(20.8), 100.15(8.21), 100.16(0.5) Alert Type: Updated * Bug Id: CSCuv49446 Title: ASA traceback on Standby device during config sync in thread DATAPATH Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback on Standby device in thread DATAPATH Standby ASA crashes during failover synchronization. There are cases where the ASA crashed multiple times and then got stabilized. Conditions: Workaround: Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.95), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.16(14.1), 100.16(15.7) Alert Type: Updated * Bug Id: CSCut49034 Title: ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal Status: Fixed Severity: 2 Severe Description: Symptom: CPU on standby ASA spikes to 100% Conditions: Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN. Stateful failover configured on an active-standby failover pair. Workaround: None Further Problem Description: High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled. Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN. When this particular connection goes through the ASA, we find that the active ASA builds a single connection. standby ASA builds numerous connections with same source and destination ports. Connection on the primary/active: act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO Connections on secondary:(close to 2500) stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO We see a lot of connection teardown on the standby for this connection. Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O We also see a lot of reset packets in asp drops in the standby ASA. 1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54 66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738) Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop. We see overruns on the failover interface of the standby unit. stby/sec/alan3usv01# show int gig0/3 Interface GigabitEthernet0/3 "failover1", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Description: LAN/STATE Failover Interface MAC address 5475.d091.518f, MTU 1500 IP address 10.99.101.114, subnet mask 255.255.255.248 432217782 packets input, 556229026142 bytes, 0 no buffer Received 556 broadcasts, 0 runts, 0 giants 204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort And we see a lot of packets being transferred from active to standby ASA. In the failover debugs we only find the following messages in the debugs of fover rx. lu_rx: HA TRANS: receive message for client vpnfo, length 48 lu_rx: HA TRANS: receive message for client vpnfo, length 72 lu_rx: HA TRANS: receive message for client vpnfo, length 72 The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA. Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: * 100.11(0.62), 100.11(0.63), 100.12(0.142), 100.12(0.148), 100.13(0.106), 100.13(0.95), 100.14(0.71), 100.14(0.76), 100.14(16.8), 100.14(16.9) Alert Type: Updated * Bug Id: CSCuv94338 Title: ASA traceback in Thread Name: CP Crypto Result Processing. Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashing in Thread Name: CP Crypto Result Processing. Conditions: N/A Workaround: No workaround Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.81), 100.15(0.67), 100.15(17.30), 100.15(20.10), 100.15(8.22), 100.16(0.5), 100.16(1.13) Alert Type: Updated * Bug Id: CSCuu91304 Title: Immediate FIN from client after GET breaks scansafe connection Status: Fixed Severity: 2 Severe Description: Symptom: Connections through the ASA to a scansafe tower may fail if the client sends a FIN packet immediately following a GET packet. This hangs the TCP connection and causes the transaction to fail. Conditions: This is seen if the CLIENT sends a TCP FIN packet before any data comes back from the TOWER. Workaround: None at this time Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.71), 100.15(17.32), 100.15(20.11), 100.15(8.23), 100.16(0.6), 100.16(1.19) Alert Type: Updated * Bug Id: CSCun21186 Title: ASA traceback when retrieving idfw topn user from slave Status: Fixed Severity: 2 Severe Description: Symptom: Slave unit crashes when trying to join the master. This happens in configuration replication. Conditions: After configuring a Context on an active cluster the Slave disables clustering. When correcting differences in context configuration try to have slave rejoin. The slave will crash. Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.0(2) Known Fixed Releases: * 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(38.121), 100.8(40.62), 100.8(56.26), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Alert Type: Updated * Bug Id: CSCuv92384 Title: ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS Status: Fixed Severity: 2 Severe Description: Symptom: When a connection entry on ASA is in half-open state and an invalid ACK (sequence and acknowledgement numbers out of sequence ) is received for that connection, ASA is dropping the invalid ACK received but it is responding to the TCP peer with a packet containing flags PUSH ACK and with correct sequence and acknowledgement numbers that ASA is expecting from the peer. As per the RFC below, ASA is not supposed to respond with TCP PUSH ACK flags for invalid ACK segments when the connection is half-open state. It should instead respond with a segment containing RESET flag. https://tools.ietf.org/html/rfc793#section-3.5 Information from the RFC link above : 2. If the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), and the incoming segment acknowledges something not yet sent (the segment carries an unacceptable ACK), or if an incoming segment has a security level or compartment which does not exactly match the level and compartment requested for the connection, a reset is sent. Conditions: ASA working as TCP normalizer. Workaround: Configure TCP state bypass. http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCuw87331 Title: ASA: Traceback in Thread name DATAPATH-7-1918 Status: Fixed Severity: 2 Severe Description: Symptom: ASA may unexpectedly reload and generate a traceback in Thread Name Datapath Conditions: n/a Workaround: Disable threat detection tcp intercept statistics. Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.109), 100.16(0.19), 100.16(1.98), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171) Alert Type: Updated * Bug Id: CSCuw14334 Title: Trace back with Thread Name: IP Address Assign Status: Fixed Severity: 2 Severe Description: Symptom: Traceback Thread Name: IP Address Assign and assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE" failed: file "slib_malloc.c" Conditions: IPv6 addresses assigned via username attributes or via external AAA server. Workaround: Use IPv6 address pools instead of username attributes or external AAA server. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(3.2), 9.4(2) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.69), 100.15(17.31), 100.15(20.11), 100.15(8.22), 100.16(0.6), 100.16(1.18) Alert Type: Updated * Bug Id: CSCuw09578 Title: ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test Status: Fixed Severity: 2 Severe Description: Symptom: ASA 5585-20 in Failover Active/Standby assembly Traceback Conditions: Workaround: none Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(3.224) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.14(5.34), 100.15(0.32), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15) Alert Type: Updated * Bug Id: CSCus53126 Title: ASA traffic not sent properly using 'traffic-forward sfr monitor-only' Status: Fixed Severity: 2 Severe Description: Symptom: After using 'traffic-forward sfr monitor-only', traffic is forwarded from MGMT0/0 interface instead of forwarding from selected interface. It is also causing lack of IP connectivity to the ASA through MGMT0/0 Conditions: Running ASA in transparent mode. Issuing the command for any ASA built-in ports (G0/0, G0/1 etc). When using blade ports (G1/0, G1/1 etc.) the command works as described in the manual. Workaround: unknown Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.99), 100.16(0.12), 100.16(1.51), 100.16(14.1), 100.16(15.7), 9.2(4.6) Alert Type: Updated * Bug Id: CSCuv42720 Title: Egress ACL with ICMP Types Misbehaving. Status: Fixed Severity: 2 Severe Description: Symptom: Configuring an ACL on the outbound port of a device may cause some traffic to be dropped even though the ACL policy permits the dropped packet(s). Conditions: The following policy applied to the outbound port will drop packets with Types 2-129. ASA5506X# show run access-list access-list unh-out extended permit icmp6 any6 any6 unreachable 0 access-list unh-out extended permit icmp6 any6 any6 unreachable 1 access-list unh-out extended permit icmp6 any6 any6 unreachable 2 access-list unh-out extended permit icmp6 any6 any6 unreachable 3 access-list unh-out extended permit icmp6 any6 any6 unreachable 4 access-list unh-out extended permit icmp6 any6 any6 unreachable 5 access-list unh-out extended permit icmp6 any6 any6 unreachable 6 access-list unh-out extended permit icmp6 any6 any6 packet-too-big 0 access-list unh-out extended permit icmp6 any6 any6 time-exceeded 0 access-list unh-out extended permit icmp6 any6 any6 time-exceeded 1 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 0 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 1 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 2 access-list unh-out extended permit icmp6 any6 any6 echo 0 %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 2, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 1) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 1) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 2) by access-group "unh-out" [0x0, 0x0] ASA5506X# show access-list unh-out access-list unh-out; 14 elements; name hash: 0x91e2c362 access-list unh-out line 1 extended permit icmp6 any6 any6 unreachable 0 (hitcnt=0) 0x4e0ab796 access-list unh-out line 2 extended permit icmp6 any6 any6 unreachable 1 (hitcnt=20) 0xa549de20 access-list unh-out line 3 extended permit icmp6 any6 any6 unreachable 2 (hitcnt=0) 0x3e3005b5 access-list unh-out line 4 extended permit icmp6 any6 any6 unreachable 3 (hitcnt=0) 0x60363c63 access-list unh-out line 5 extended permit icmp6 any6 any6 unreachable 4 (hitcnt=0) 0xeb98c4e3 access-list unh-out line 6 extended permit icmp6 any6 any6 unreachable 5 (hitcnt=0) 0x4b9b65f1 access-list unh-out line 7 extended permit icmp6 any6 any6 unreachable 6 (hitcnt=0) 0x53e45a3f access-list unh-out line 8 extended permit icmp6 any6 any6 packet-too-big 0 (hitcnt=0) 0x9b62e1db access-list unh-out line 9 extended permit icmp6 any6 any6 time-exceeded 0 (hitcnt=0) 0x5362e1e1 access-list unh-out line 10 extended permit icmp6 any6 any6 time-exceeded 1 (hitcnt=0) 0xf7a7cc36 access-list unh-out line 11 extended permit icmp6 any6 any6 parameter-problem 0 (hitcnt=0) 0x453e9232 access-list unh-out line 12 extended permit icmp6 any6 any6 parameter-problem 1 (hitcnt=0) 0x780a5e2e access-list unh-out line 13 extended permit icmp6 any6 any6 parameter-problem 2 (hitcnt=0) 0x4a0104ef access-list unh-out line 14 extended permit icmp6 any6 any6 echo 0 (hitcnt=0) 0xf50e5b9d ASA5506X# ASA5506X# show runn access-group access-group unh-out out interface priv Workaround: None Further Problem Description: N/A Last Modified: 16-MAY-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(1.36), 100.16(14.1), 100.16(15.1), 100.16(15.5), 9.4(1.7) Alert Type: Updated * Bug Id: CSCux33808 Title: ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16] Status: Fixed Severity: 2 Severe Description: Symptom: ASA may reboot when FIPS is enabled with different errors displayed on console: "ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]", ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:12:0:2:19] Conditions: ASA may reboot when FIPS is enabled with different errors displayed on console: "ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]", ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:12:0:2:19] Workaround: Reload ASA or must disable fips mode, 'no fips enable". Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.126), 100.15(0.111), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 9.6(1), 96.1(1.58), 96.2(1.109) Alert Type: Updated * Bug Id: CSCuv58559 Title: Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: DATAPATH Conditions: 1) While modifying the "set connection" config under MPF. 2) Live traffic is passing through both units matching the MPF connection policy. Workaround: Do not modify the connection MPF policy while live traffic is inspected through it. Further Problem Description: Sample config : policy-map global_policy class conn-test set connection conn-max 4000 embryonic-conn-max 2500 Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCuz04534 Title: Memory leak in 112 byte bin when packet hits PBR and WCCP rules Status: Fixed Severity: 2 Severe Description: Symptom: Memory usage on ASA increases over a period of time Conditions: 1. Policy Based Routing is applied on an interface. 2. WCCP redirection is enabled on the same interface, where PBR is applied. 3. ASA receives traffic that hits both PBR access-list and WCCP redirect rule. Workaround: Exclude the traffic redirected to WCCP server from the PBR access-list. Note that not all traffic selected by the WCCP redirect-list is redirected to WCCP server. WCCP Server "informs" the ASA what TCP port numbers should be redirected to it. How to find out what TCP port traffic is redirected to WCCP Server ================================================================== Run the command "show wccp service". An output similar to following should be shown. WCCP service information definition: Type: Dynamic Id: 90 Priority: 240 Protocol: 6 Options: 0x00000011 -------- Hash: SrcIP Alt Hash: -none- Ports: Destination:: 80 443 0 0 0 0 0 0 <=== In above example, TCP traffic to ports 80 and 443 are redirected to the WCCP server. Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.4(1), 9.5(2.6), 9.6(1) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 9.4(3.1), 96.2(0.16), 96.2(11.13), 97.1(0.15), 97.1(1.34), 97.1(3.7), 97.1(9.1) Alert Type: Updated * Bug Id: CSCuz10371 Title: ASA Traceback and reload by strncpy_sx.c Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload unexpectedly. The output of 'show crash' may indicate that the thread that caused the crash is labelled as 'idfw_proc' and the faulting action is unknown. This is different than bug CSCuy03024 in which the faulting action is Page Fault. Conditions: - First observed in ASA running code 9.5.2 and then also in 9.5.2.5 - The crash was triggered during the synchronization from active to passive unit in fail over pair. The passive unit when receiving the configuration crashed. Workaround: N/A Further Problem Description: Last Modified: 18-MAY-2016 Known Affected Releases: * 9.1(2), 9.5(2), 9.5(2.5) Known Fixed Releases: 100.11(0.71), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.2(4.9), 9.4(2.111), 9.4(3), 9.5(2.7), 9.6(1.1), 96.1(1.88) Alert Type: Updated * Bug Id: CSCus37458 Title: ASA traceback in Thread name DATAPATH when handling multicast packet Status: Fixed Severity: 2 Severe Description: Symptom: ASA or ASASM traceback in Thread name DATAPATH Conditions: ASASM/ASA running software version 9.3(2), 9.4(2.6), 9.5(1), 9.5(2.2). Other versions can be affected as well. Workaround: We believe that the issue is not present in the 9.3(1.1) release, but downgrade to this release is not recommended due to various reasons, including security reasons (PSIRT issues) and limited support lifetime of the 9.3(1) release train. Further Problem Description: The crash happens during forwarding of multicast packets. So far the crash was observed for the following protocols: WS-Discovery (UDP/3702), Service Location Protocol (UDP/427), Simple Service Discovery Protocol (UDP/1900). One possible workaround would be to block multicast traffic for these protocols on neighboring routers/switches so that it doesn't reach ASA, or block all multicast traffic and allow only production multicast traffic. Last Modified: 19-MAY-2016 Known Affected Releases: 9.3(2), 9.4(2.6), 9.5(1), 9.5(2.2) Known Fixed Releases: * 100.13(0.137), 100.15(0.115), 9.4(3.1), 9.5(2.7), 9.6(1.1), 96.1(1.89), 96.2(1.179), 96.2(11.9), 97.1(0.12), 97.1(1.24) Alert Type: Updated * Bug Id: CSCur59704 Title: ASA: Traceback in idfw_proc Status: Fixed Severity: 2 Severe Description: * Symptom: ASA traceback on Thread name: idfw_proc Conditions: The issue is related to usage of FQDN objects along with 'object-group-search access-control' feature. Workaround: Disable 'object-group-search access-control' or do not use FQDN objects. Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: 100.11(0.54), 100.12(0.104), 100.13(0.12), 100.13(1.15), 100.13(16.23), 100.13(19.6), 100.13(20.3), 100.13(21.3), 100.13(23.1), 100.7(6.137) Alert Type: Updated * Bug Id: CSCux71674 Title: ASA: Traceback with Thread name Unicorn Admin Handler due to ACL config Status: Terminated Severity: 2 Severe Description: * Symptom: ASA Trace back with Thread name Unicorn Admin Handler possibly due to ACL configuration on the ASA device Conditions: No Specific conditions for this crash Workaround: None at this time Further Problem Description: Last Modified: 20-MAY-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus10787 Title: Transactional ACL commit will bypass security policy during compilation Status: Fixed Severity: 2 Severe Description: Symptom: Traffic can bypass the security policy when transactional-commit access list is configured. This can happen only when a new ASA is added to a cluster and the access-list configuration is newly applied. The bypass can happen only during the compilation time. Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. Conditions: Cisco ASA Software is affected by this issue if the transactional-commit access list feature is enabled. This can be determined by using the show running-config asp rule-engine transactional-commit access-group command and verifying that it returns output. The following example shows a Cisco ASA configured with transactional-commit feature: ciscoasa# show running-config asp rule-engine transactional-commit access-grou$ asp rule-engine transactional-commit access-group Note: Transactional-commit feature is not configured by default. Workaround: There is no workaround other then disabling the feature Further Problem Description: A vulnerability in the transactional-commit access list feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to bypass interfaces access control policies and send traffic through the affected system. The vulnerability is due to improper implementation of the feature. . An attacker could exploit this vulnerability by sending traffic through the affected system while the system boot for the first time or while an affected system join a cluster. Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. An exploit could allow the attacker to send traffic through the system bypassing the interfaces access control policies. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 20-MAY-2016 Known Affected Releases: * 9.1(5), 9.5(2), 9.5(2.233) Known Fixed Releases: 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.111), 9.1(6.104), 9.1(6.112) Alert Type: Updated * Bug Id: CSCuz16498 Title: Error messages on console "ERROR: Problem with interface " Status: Fixed Severity: 2 Severe Description: Symptom: When there is QoS configuration on the ASA, errors like below might be seen on the console: ERROR: Problem with interface 2 ERROR: Problem with interface 3 ERROR: Problem with interface 4 ERROR: Problem with interface 5 ERROR: Problem with interface 6 ERROR: Problem with interface 7 ERROR: Problem with interface 8 ERROR: Problem with interface 9 ERROR: Problem with interface 10 ERROR: Problem with interface 11 ERROR: Problem with interface 12 Conditions: QoS must be configured to encounter this problem Workaround: N/A Further Problem Description: N/A Last Modified: 21-MAY-2016 Known Affected Releases: 9.5(2.2) Known Fixed Releases: * 96.2(0.23), 96.2(11.16), 97.1(0.16), 97.1(1.37), 97.1(3.8), 97.1(9.1) Alert Type: Updated * Bug Id: CSCux29842 Title: Primary and Secondary ASA in HA is traceback in Thread Name:DataPath Status: Fixed Severity: 2 Severe Description: Symptom: 40% of the sessions were dropped during failover due to crash. Conditions: Failover enabled. Workaround: Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 9.1(3), 9.3(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.235), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuz14600 Title: Kenton 9.5.1'boot system/boot config' commands not retained after reload Status: Fixed Severity: 2 Severe Description: Symptom: Upgrading Kenton series platform to 9.4.1 or 9.5.1, the ASA does not retain "CONFIG_FILE variable" and "Current CONFIG _FILE variable" values after reboot. The same works fine with 8.2.5 and 8.2.2. Conditions: The issue is only seen and is reproducible on Kenton series platform. Workaround: Further Problem Description: Last Modified: 24-MAY-2016 Known Affected Releases: 9.4(1), 9.5(1) Known Fixed Releases: * 100.15(0.118), 96.2(0.34), 96.2(11.17), 97.1(0.17), 97.1(1.44), 97.1(3.8), 97.1(9.3) Alert Type: Updated * Bug Id: CSCut75983 Title: ASA Traceback in PPP Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ppp_timer_thread. Conditions: ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA) Workaround: none Further Problem Description: ASA reloaded on its own. Last Modified: 27-MAY-2016 Known Affected Releases: 8.4(7) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuz30425 Title: Network command disappears from BGP after reload with name Status: Fixed Severity: 2 Severe Description: Symptom: Network command disappears from BGP after reload with name Conditions: Issue is only seen when a name has been configured (name 2.2.2.0 Production-20-0) Workaround: remove name from the configuration (name 2.2.2.0 Production-20-0) Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 9.2(4.11), 9.4(3.1), 9.5(2.7), 96.2(0.8), 96.2(11.12), 97.1(0.13), 97.1(1.26), 97.1(3.7) Alert Type: Updated * Bug Id: CSCux70784 Title: ASA Crash while viewing large ACL Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload when viewing an ACL that has a lot of remarks in the configuration. In testing, this appears to happen when running a command such as 'show access-list' Conditions: This has been seen with a configuration with over 65k remarks present in the configuration. Workaround: Do not use many remarks or clean up the existing remark to avoid significant numbers of remarks. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.4(1), 9.5(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.2(4.11), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuz53186 Title: ASA AnyConnect CSTP Copyright message changed improperly Status: Fixed Severity: 2 Severe Description: Symptom: ASA is not sending correct identifier to AnyConnect. This results in errors in AnyConnect logs and affects AnyConnect feature compatibility. Minimally, Per App VPN does not work because of this issue. Conditions: ASA Version: 9.4.3 9.6.1 9.6.1.1 9.6.1.2 Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.4(3), 9.6(1), 9.6(1.1), 9.6(1.2) Known Fixed Releases: * 100.13(0.140), 100.15(0.117), 9.2(4.11), 9.4(3.1), 9.6(1.3), 96.2(0.19), 96.2(11.14), 97.1(0.15), 97.1(1.36), 97.1(3.8) Alert Type: Updated * Bug Id: CSCuz09394 Title: infinite loop in JS rewriter state machine when return followed by var Status: Fixed Severity: 2 Severe Description: Symptom: after clicking on a bookmark, the page seems to load(there's a spinning icon) and then after a while the spinning icon stops spinning but the page stays blank. Conditions: Page has a js file that can result in an infinte loop for the webvpn rewriter Workaround: Use APCF Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.115), 100.8(40.118), 9.2(4.11), 9.4(3.1), 9.5(2.7), 9.6(1.1), 96.2(0.3), 96.2(1.183) Alert Type: Updated * Bug Id: CSCux33726 Title: ASA traceback - WebVPN CIFS_file_rename_remove operations Status: Fixed Severity: 2 Severe Description: ASA may traceback with high stress Clientless SSL VPN CIFS-RAMFS file operations (browse, add, remove, delete). Symptom: Conditions: ASA may traceback with Clientless SSL VPN CIFS-RAMFS file operations (browse, add, remove, delete) when perfromed under a high stressful conditions. Workaround: Clientless SSL VPN and File operations. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 100.13(32.2), 8.4, 9.1(6.107), 9.1(6.111), 9.1(6.112), 9.3(3.227), 9.3(3.229), 9.4(2.104), 9.5(2), 9.6(0.126) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 100.8(40.118), 9.2(4.11), 9.4(3.1), 9.5(2.7), 96.2(0.7), 96.2(11.12), 97.1(0.12), 97.1(1.26) Alert Type: Updated * Bug Id: CSCuy63642 Title: ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524" Status: Fixed Severity: 2 Severe Description: Symptom: ASA5585 running version 9.1(6) encounters traceback with thread name "DATAPATH-2-1524" Conditions: ASA5585 running 9.1(6) Workaround: None so far Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.2(4.11), 9.4(3.1), 96.2(0.29), 96.2(11.16), 97.1(0.17), 97.1(1.41), 97.1(3.8) Alert Type: Updated * Bug Id: CSCux66866 Title: Traffic drop due to constant amount of arp on ASASM Status: Fixed Severity: 2 Severe Description: Symptom: Constant amount of ARP generating on ASA-SM and this causes partial traffic drop in user(normal) traffic, not related to ARP; outside->inside traffic (There is no packet drop if static ARP is configured on all interfaces for outside and inside.) Conditions: Customer is using ASA-SM with 200 contexts All inside interfaces are assigned to separate vlan Constant amount of ARP is generated(200-300 as per 15s rate) Workaround: Using static ARP on all interface of ASA-SM for outside/inside. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6.8) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.2(4.11), 9.4(2.106), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuz54357 Title: ASA Clientless SSLVPN HTTP URL Self Sanitizer Function Issues Status: Fixed Severity: 2 Severe Description: Symptom: Clientless SSLVPN set up on ASA 9.2.3.4. User connects successfully to the custom application via web browser but not able to navigate some pulldown menus. The needed webpage fails to load. Received 200 OK status for the webpage and also 302 code as well which leads to URL redirection. Conditions: Customized page works on the internal network but fails through clientless SSLVPN Workaround: Remove the santizer function or use the attached APCF file Further Problem Description: HTTPWatch captures show problems with self sanitizer function in jquery script Last Modified: 27-MAY-2016 Known Affected Releases: 9.2(3), 9.2(4) Known Fixed Releases: * 9.2(4.11) Alert Type: Updated * Bug Id: CSCuz38115 Title: ASA Tback when large ACL applied to interface with object-group-search Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback when large ACL is applied to the interface with object-group-search enabled. Conditions: - Object-group-search is enabled - ACL is bigger than 10K ACE - ACL is applied to the interface Workaround: Disable object-group-search. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 100.8(40.118), 9.2(4.11), 9.4(3.1), 9.5(2.10), 9.5(2.216), 96.2(0.16), 96.2(11.13), 97.1(0.15) Alert Type: New Bug Id: CSCuz86610 Title: Executing reload on Master with Software module causes Split Cluster Status: Open Severity: 2 Severe Description: Symptom: Both ASAs in MASTER state Conditions: MASTER ASA running software module reloaded using the command "reload" Workaround: First shut down the software module Further Problem Description: Last Modified: 28-MAY-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz21178 Title: ASA traceback in threadname ssh Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback due to threadname ssh Conditions: ASA traceback due to threadname ssh Workaround: none Further Problem Description: Last Modified: 28-MAY-2016 Known Affected Releases: 9.4(2.11) Known Fixed Releases: * 96.2(0.38), 97.1(0.18), 97.1(1.49) Alert Type: Updated * Bug Id: CSCug51375 Title: ASA SSL: Continues to accept SSLv3 during TLSv1 only mode Status: Fixed Severity: 2 Severe Description: Symptom:ASA negotiates connections over SSLv3 in spite of it being configured to negotiate TLSv1. ASA(config)# sh run ssl ssl server-version tlsv1-only Conditions:Cisco ASA running release 8.2 and later. If the 'ssl server-version' or 'ssl client-version' value is modified after boot, the changes may not be applied properly. This could lead to the default of SSLv3 being enabled. Workaround:There is no workaround. More Info:Upgrade to one of the Known Fixed Release: * 8.2.5.55 or later * 8.4.7.26 or later * 8.5.1.23 or later * 8.6.1.16 or later * 8.7.1.15 or later * 9.0.4.26 or later * 9.1.5.21 or later * 9.2.3 or later * 9.3.1.1 or later Last Modified: 29-MAY-2016 Known Affected Releases: 9.1(1.105) Known Fixed Releases: * 100.10(0.6), 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(11.18), 100.13(12.41) Alert Type: Updated * Bug Id: CSCur23709 Title: ASA : evaluation of SSLv3 POODLE vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: The Cisco ASA (Adaptive Security Appliance) includes a version of OpenSSL that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3566 Conditions: The default SSL configuration on all ASA software trains enables SSLv3. Due to bug CSCug51375, the ASA is unable to disable SSLv3 on most ASA versions. To see the SSL configuration: show run all ssl Default configuration of the ASA: ssl client-version any ssl server-version any The following non-default configuration values also enable SSLv3: ssl client-version sslv3-only ssl client-version sslv3 ssl server-version sslv3-only ssl server-version sslv3 Some of the previously listed options are not available on older ASA software releases. Workaround: There are no workarounds. Further Problem Description: This bug is for SSL server-side and is fixed in the following (and later) posted ASA releases: 9.3.1.1 9.2.3 9.1.5.21 9.0.4.26 8.4.7.26 8.2.5.55 It will also be available in the April/2015 timeframe on the following ASA software releases: 8.3.2.43 8.5.1.23 8.6.1.16 8.7.1.15 For the client-side (Clientless Smart Tunnel Component), please check CSCur42776. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 29-MAY-2016 Known Affected Releases: 8.2(1), 8.3(1), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 9.1(1), 99.1 Known Fixed Releases: * 100.11(0.52), 100.12(0.79), 100.12(23.2), 100.12(30.8), 100.12(6.23), 100.13(0.11), 100.13(1.2), 100.13(1.3), 100.13(11.18), 100.13(11.23) Alert Type: Updated * Bug Id: CSCuy73652 Title: Traceback in thread name idfw when modifying object-group having FQDN Status: Fixed Severity: 2 Severe Description: * Symptom: Traceback in thread name idfw when modifying object-group having FQDN Conditions: Modifying an object-group having FQDN. Workaround: Restrict using FQDN objects, if possible Further Problem Description: Last Modified: 30-MAY-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCup37416 Title: Stale VPN Context entries cause ASA to stop encrypting traffic Status: Open Severity: 2 Severe Description: * Symptom: ASAs which had a working L2L VPN tunnel suddenly stops encrypting traffic. The ASP table will show duplicate ASP entries and traffic is hitting an ASP entry that is stale and the traffic for particular SA is blackholed. Conditions: ASA5500 running 9.1 or later code with IKEv2 L2L tunnels configured with default IKEv2 rekey configuration supporting both time and data-based rekeys. Workaround: Potential workarounds: 1)Disable data-based rekeying: "crypto map set security-association lifetime kilobytes unlimited" 2) clear crypto ipsec sa inactive Further Problem Description: Last Modified: 30-MAY-2016 Known Affected Releases: 9.1(2.8), 9.1(3), 9.1(5.12), 9.1(6), 9.2(3), 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz00077 Title: ASA 9.1.6.4 traceback with Thread Name: telnet/ci Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashed with Thread Name: telnet/ci Conditions: Crashed when "show ssh session detail" command was executed. Workaround: If possible, use "no pager" to reduce the chance of this problem occurring. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.1(6.4) Known Fixed Releases: * 96.2(0.39), 97.1(0.18), 97.1(1.49), 97.1(9.5) Alert Type: Updated * Bug Id: CSCuz38180 Title: ASA: Page Fault traceback in DATAPATH on standby ASA after booting up Status: Fixed Severity: 2 Severe Description: Symptom: ASA-SM reloads and generates a traceback with Thread DATAPATH, just after it boots up and joins failover with another active unit. Conditions: 1. The affected ASA is an ASA-SM module. 2. The switch where ASA-SM is installed has private vlans. 3. At least one primary vlan is extended to ASA-SM. Workaround: Force the ASA to skip the config using config-register. Clear the startup config. Configure failover again and let the ASA join the failover. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.1(6.10), 9.1(7.6) Known Fixed Releases: * 9.2(4.11), 96.2(0.36), 97.1(0.18), 97.1(1.47), 97.1(9.5) Alert Type: Updated * Bug Id: CSCux82168 Title: LDAP over SSL (LDAP-S) authentication failing Status: Terminated Severity: 2 Severe Description: * Symptom: LDAP-secure over SSL (LDAP-S, port 636) authentication is failing for ASA releases 9.3.2, 9.4.x and 9.5.x. The is issue may occurr for misconfigured ciphers between the ASA firewall and the LDAP server. For example, ASA SSL setting attempts to negotiate TLS1.2 ciphers, while the LDAP server is set to use only TLS1.1 ciphers. LDAP (non secure, port 389) authentication is functional Conditions: LDAP-over-SSL authentication for operations such as remote access VPN. Refer to Cisco docs or other external info on how to setup LDAPS. Workaround: Use LDAP (non-secure, port 389) . Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.3(2), 9.4(1.112), 9.4(2), 9.5(1.4), 9.5(1.5), 9.5(2), 96.1(1.58) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz64784 Title: ASA traceback in DATAPATH on all cluster units during context removal Status: Open Severity: 2 Severe Description: * Symptom: The ASA may unexpectedly reload and generate a traceback when removing a context from the ASA configuration Conditions: 1. The ASA must be running in multiple-context mode. 2. The ASA must be running in clustering environment. 3. The user context must be receiving multicast traffic when it is being removed. 4. ASA crashes when the user context is removed while the multicast traffic is still hitting the ASA 5. The crash has been observed on ASA version 9.6.1 but other versions may also be affected. Workaround: There are a number of workaround. 1. Do not remove a user context. 2. Stop the multicast traffic that is reaching the context to be removed first; then remove the context:\ 3. If a customer must remove a user context while the multicast traffic is reaching the user context, the customer must remove all the mac address of the interfaces in the context that the customer wish to remove. For example, if the customer wishes to remove context user-ctx1, which has two interfaces: user-ctx1-inside and user-ctx1-outside, the customer must do the following: [1] changeto context user-ctx1 [2] get into the configure mode [3] configure user-ctx1-inside [4] remove all the mac address ===> ASA/user-ctx1(config-if)# no mac-address [5] configure user-ctx1-outside [6] remove all the mac address Then the customer can go back to the system context and remove the user-ctx1. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz52474 Title: Evaluation of pix-asa for OpenSSL May 2016 Status: Fixed Severity: 2 Severe Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176 And disclosed in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl This bug has been opened to address the potential impact on this product. Conditions: Cisco ASA running release 9.0 or later may be affected by the following vulnerabilities. Exposure is not configuration dependent. Padding oracle in AES-NI CBC MAC check CVE-2016-2107 Memory corruption in the ASN.1 encoder CVE-2016-2108 ASN.1 BIO excessive memory allocation CVE-2016-2109 The ASA is not affected by the following vulnerabilities: EVP_EncodeUpdate overflow CVE-2016-2105 EVP_EncryptUpdate overflow CVE-2016-2106 EBCDIC overread CVE-2016-2176 Devices running versions prior to 9.0 may be affected by one or more of these vulnerabilities. These releases have not been extensively investigated. All releases prior to 9.0 have reached End of Software Maintenance and will not receive updates. Workaround: None Further Problem Description: ASA versions previous to 9.0 have all reached End of Software Maintenance by Cisco and may be affected by one or more of these vulnerabilities. Combined with the fact that they use version 0.9.8 of OpenSSL (support for which ended in December 2015), no updates will be made for those versions. Customers are advised to upgrade to version 9.1 or later. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base CVSS score as of the time of evaluation is: 5.1 https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:ND The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. The score reflects the maximum score for all the vulnerabilities mentioned in this bug information Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 31-MAY-2016 Known Affected Releases: 9.0, 9.1(2), 9.2, 9.3, 9.4, 9.5, 9.6(1) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.2(4.11), 9.4(3.2), 96.2(0.36), 96.2(11.17), 97.1(0.17), 97.1(0.18), 97.1(1.45), 97.1(1.48) Alert Type: Updated * Bug Id: CSCuz67590 Title: ASA may Traceback with Thread Name: cluster rx thread Status: Fixed Severity: * 2 Severe Description: Symptom: ASA may Traceback with Thread Name: cluster rx thread Conditions: ASA cluster Workaround: NONE Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: * 96.2(0.38), 97.1(0.18), 97.1(1.49), 97.1(9.5) Alert Type: Updated * Bug Id: CSCuz38888 Title: WebVPN rewrite fails for MSCA Cert enrollment page / VBScript Status: Fixed Severity: 2 Severe Description: Symptom: VBScript fails to be re-written correctly by the ASA's WebVPN rewriter. eg: Microsoft CA web enrollment page fails to load completely via the ASA WebVPN portal, when running VBScript to auto-populate certain fields within the page. Conditions: ASA 9.5.2.2 (and higher), 9.2.4 and 8.2.5.58. Workaround: NA. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.5(2.2) Known Fixed Releases: * 96.2(0.39), 97.1(0.18), 97.1(1.50), 97.1(9.5) Alert Type: Updated * Bug Id: CSCuy00296 Title: Traceback in Thread: IPsec message handler Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in Thread Name: IPsec message handler Conditions: No specific condition triggering this issue as of now. Workaround: None at this time Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.2(2.4), 9.5(2) Known Fixed Releases: * 96.2(0.40), 97.1(0.18), 97.1(1.50), 97.1(9.5) Alert Type: Updated * Bug Id: CSCuy54567 Title: Evaluation of pix-asa for OpenSSL March 2016 Status: Fixed Severity: 2 Severe Description: Symptom: Cisco Adaptive Security Appliance (ASA) includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 CVE-2016-0705 CVE-2016-0798 CVE-2016-0797 CVE-2016-0799 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 And disclosed in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. Cisco has reviewed and concluded that this product is affected by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption CVE-2016-0799 - Fix memory issues in BIO_*printf functions CVE-2016-0702 - Side channel attack on modular exponentiation CVE-2016-0705 - Double-free in DSA code This product is not affected by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN) CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2 CVE-2016-0704 - Bleichenbacher oracle in SSLv2 CVE-2016-0798 - Memory leak in SRP database lookups Workaround: Not available. Further Problem Description: Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base CVSS score as of the time of evaluation is: 4.3 https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:ND The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 31-MAY-2016 Known Affected Releases: 8.0, 9.0, 9.1(2), 9.2(1), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.6(2) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.2(4.11), 9.4(3.2), 96.2(0.36), 96.2(11.17), 97.1(0.17), 97.1(0.18), 97.1(1.45), 97.1(1.48) Alert Type: Updated * Bug Id: CSCuy99280 Title: ENH: ASAv should have a different pre-loaded cert Status: Fixed Severity: 3 Moderate Description: Symptom: ASAv may fail to register to the Smart Software Licensing portal. The ASAv will present the following output: ASAv# show license registration Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Last Retry Start Time: Mar 22 13:26:32 2016 UTC. Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC. Number of Retries: 1. Last License Server response time: Mar 22 13:26:32 2016 UTC. Last License Server response message: Communication message send response error (The Last Server Response Message may also simply state "Communication Failure"). The ASA will be able to access internet resources, but ASA-3-717009 messages will be seen, indicating "No suitable trustpoints found to validate certificate serial number..." Conditions: In the output of show crypto ca certificate, the default certificate has the following information: ASAv# show crypto ca certificate CA Certificate [...] Subject Name: cn=VeriSign Class 3 Secure Server CA - G3 ou=Terms of use at https://www.verisign.com/rpa (c)10 ou=VeriSign Trust Network o=VeriSign\, Inc. c=US [...] Associated Trustpoints: _SmartCallHome_ServerCA The first line under "Subject Name" (indicating the intermediate CA) reads "cn=Symantec Class 3 Secure Server CA - G4" in the correct cert, i.e., it's signed by Symantec rather than Verisign and is G4 rather than G3. Workaround: Pre-9.5.2: Run the following command in enable mode: crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b Starting in 9.5.2: The trustpool will auto-update at 10pm local device time. If this is an initial installation, and DNS lookups and internet connectivity have not been up at that time yet, then the auto-import has not succeeded and will need to be completed manually. ### IMPORTANT NOTE #### After 9.6.1.1 is released - 1. Before upgrading the ASA, please run the following commands on ASA prompt. This removes the old cached certificate from the config. ciscoasa(config)# clear configure crypto ca trustpoint ciscoasa(config)# write memory 2. After the upgrade, the following message will appear during bootup: .Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate... 3. As the old cached certificate is cleared by step 1, the new certificate will be installed in the trustpoint. This can be verified by issuing the following command and observing output. Note: the 'subject name' should match the 'issuer name'. 5545-1# show crypto ca certificates Output: CA Certificate Status: Available Certificate Serial Number: 18dad19e267de8bb4a2158cdcc6b3b4a Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Subject Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Validity Date: start date: 00:00:00 UTC Nov 8 2006 end date: 23:59:59 UTC Jul 16 2036 Associate Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.3(3), 9.4(2), 9.5(2) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 100.7(6.151), 100.8(40.118), 9.2(4.11), 9.4(2.112), 9.4(3), 9.5(2.207), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuz06125 Title: Active and Standby ASA use same MAC addr with only active MAC configured Status: Fixed Severity: 3 Moderate Description: Symptom: Active and Standby ASAs use the same MAC address on their interfaces. Conditions: Only active mac address is configured under that interface. For example: interface GigabitEthernet0/0 mac-address 0000.1000.1111 Workaround: Configure both active and standby MAC addresses when assigning a manual MAC address. For example: interface GigabitEthernet0/0 mac-address 0000.1000.1111 standby 0000.1000.2222 Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.115), 100.8(40.117), 9.2(4.11), 9.4(3.1), 9.5(2.7), 9.6(1.1), 96.2(0.1), 96.2(1.180) Alert Type: Updated * Bug Id: CSCux58172 Title: DAP: debug dap trace not fully shown after +1600 lines Status: Fixed Severity: 3 Moderate Description: Symptom: Debug dap trace and related syslog messages are not fully shown if output is more than ~1600 lines Conditions: Returning many attributes by the anyconnect client after a hostscan Workaround: Deleting anything from the client that would normally be sent back in hostscan will reduce the size of the debugs printed. This can include anything listed in the debug output but the bulk usually consists of windows security updates and certificates. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.69), 100.11(0.71), 100.12(0.158), 100.13(0.132), 100.13(0.137), 100.15(0.112), 100.8(40.115), 9.1(7.180), 9.2(4.11), 9.4(2.103) Alert Type: Updated * Bug Id: CSCut35406 Title: Src url of video track tag not mangled via webvpn Status: Fixed Severity: 3 Moderate Description: Symptom: When loading a url with video content with subtitle via webvpn, page is loaded successfully but the src url is not mangled for track tag. Conditions: Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 100.13(16.1), 9.3(2) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCux83705 Title: DNS Reply Modification for Dual-Stack does not work as expected Status: Fixed Severity: 3 Moderate Description: Symptom: For DNS requests passing through an ASA which is supposed to perform DNS fixup/doctoring/reply modification (as configured in fig 27-27 of the following doc: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1090556), in a dual-stack routing environment, the ASA modifies one of the records twice (per design) and the other only once (defective behavior). The Layer 3 protocol of the DNS request is the same as the record that will be successfully modified. For example, if the client makes a DNS request over IPv4, the ASA will correctly modify the A record twice, but it will return an AAAA record which has only been modified once. If the client makes a DNS request over IPv6, then the ASA will modify the AAAA record twice, but it will only modify the A record once. Conditions: -The DNS Server, Host, and Server are on separate networks (as in fig 27-27 of the following doc: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1090556) -Dual-Stack routing is in place (IPv4 and IPv6) Workaround: No configuration workarounds are possible on the ASA. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.11), 9.4(2.101), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCut24490 Title: L2TP/IPSec Optimal MSS is not what it's supposed to be Status: Fixed Severity: 3 Moderate Description: Symptom: This is a bug to clarify how to calculate the optimal MSS for L2TP/IPSec Conditions: ASA terminating IPSec/L2TP For Windows 7, MTU on IPSec/L2TP virtual adaptor is 1300. Because 1300 is small enough, MSS configuration may not be required. However, it is not always the case for Android. Workaround: TAC lab test indicates the following formula can be used to calculate MSS. MSS = MTU - 156 e.g. when MTU is 1500: MSS = 1500 - 156 = 1344 Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(2), 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(2.23) Alert Type: Updated * Bug Id: CSCut67315 Title: ASA :Top 10 Users status is not getting enabled from ASDM. Status: Fixed Severity: 3 Moderate Description: Symptom: Top 10 Users status is not getting enabled from ASDM. Conditions: ASA running code 9.3.2 Workaround: Downgrade ASA to 9.1.5 to get this feature working. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.3(1), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCtq90780 Title: ASA allows removing address pool conf even if it is in use in grp-policy Status: Fixed Severity: 3 Moderate Description: Symptom: startup config error or errors when doing wr standby Conditions: address pool configured and being used in group-policy or tunnel-group Workaround: remove the pool config from where it is being used(group-policy or tunnel-group) then remove it from the running config Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 8.4 Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.88), 100.14(0.67), 100.15(0.21), 100.15(1.37), 100.15(10.4), 100.15(15.2), 100.15(2.75), 100.15(4.23) Alert Type: Updated * Bug Id: CSCuu19489 Title: ASA inspection-MPF ACL changes not inserted into ASP table properly Status: Fixed Severity: 3 Moderate Description: * Symptom: New ACL changes not taking effect for inspection policies. When adding new rules to the top of an existing ACL which is mapped to an inspection policy, the ASA installs this rule incorrectly at the bottom of its ASP table. This is applicable for any inspection policy that has an ACL bound to it. Conditions: There should be an ACL bound to an inspection policy. Workaround: Remove and re-apply the service-policy or remove and re-apply the effected class-map in the policy-map. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuq87632 Title: User membership not updated in parent group Status: Fixed Severity: 3 Moderate Description: Symptom: User membership not updated in parent group. Conditions: ASA configured with the Identity Firewall configuration and using the CDA Workaround: Monitor the Sub Group as well. Further Problem Description: None Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.49), 100.12(0.58), 100.12(6.14), 100.13(0.4), 100.13(11.6), 100.13(12.15), 100.13(13.1), 100.13(15.5), 100.13(16.1), 100.13(17.1) Alert Type: Updated * Bug Id: CSCus78722 Title: inspect esmtp replace the packet data to 'X' Status: Fixed Severity: 3 Moderate Description: Symptom: inspect esmtp causes some packet data is replaced with "X". Hence the mail server failed to response to that mail. Conditions: ESMTP inspection is enabled on the ASA. Workaround: None Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 8.4(7.20) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.68), 100.13(21.13), 100.14(0.10), 100.14(10.13), 100.14(26.11), 100.14(5.14), 100.14(6.14), 100.14(7.14) Alert Type: Updated * Bug Id: CSCuz18707 Title: Intranet page does not load via WebVPN with JavaScript errors Status: Fixed Severity: 3 Moderate Description: Symptom: Fail to load the intranet page properly via WebVPN. Conditions: Page with Java script enabled accessed via WebVPN Workaround: NA Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(7.6) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 100.8(40.118), 9.2(4.11), 9.4(2.112), 9.4(3), 9.5(2.7), 9.6(1.1), 96.2(0.5) Alert Type: Updated * Bug Id: CSCuy89425 Title: AAA: RSA/SDI unable to set new PIN Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrade of the ASA the users are unable to (re-)set PIN for their soft tokens. Cisco VPN client: 1. Connect 2. Provide username+token code 3. "Enter your new alphanumeric PIN.." message, PIN entered, OK 4. "Enter your new alphanumeric PIN.." message again, no place to enter PIN, just OK button. 5. User is disconnected. iPhone: 1. Connect 2. Provide username+token code 3. "Enter your new alphanumeric PIN.." message, PIN entered, OK. 4. Nothing else happens, user is disconnected. On the RSA server in the logs the following error can be seen: "Authentication method failed, passcode format error" Conditions: ASA 9.1.7 RSA authentication using SDI protocol. Client needs to set a new token PIN. Workaround: Create new PIN using RSA self service portal. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 100.8(40.118), 9.2(4.11), 9.4(3.1), 9.5(2.7), 96.2(0.11), 96.2(11.13), 97.1(0.14), 97.1(1.31) Alert Type: Updated * Bug Id: CSCuq95704 Title: There are two certificates related to one trustpoint on standby unit. Status: Fixed Severity: 3 Moderate Description: Symptom: There are two certificates related to one trustpoint on standby unit as below. --- # show crypto ca certificates | inc Trustpoints|Certificate Certificate <-- certificate 1 Certificate Serial Number: 06 Certificate Usage: General Purpose Associated Trustpoints: TrustpointA CA Certificate Certificate Serial Number: 00fd8a5813a9675d6f Certificate Usage: General Purpose Associated Trustpoints: TrustpointA Certificate <-- certificate 2 Certificate Serial Number: 04 Certificate Usage: General Purpose Associated Trustpoints: TrustpointA Conditions: When renewing a certificate of ASA on active. Workaround: Command #write standby on active ASA. Further Problem Description: On adding ID certificate on Active ASA, remove_superceded_cert() function is called but the same function is not called on Standby ASA although new ID certificate is copied on the standby but old is not deleted. Function call remove_superceded_cert() is missing from Standby ASA code. Last Modified: 27-MAY-2016 Known Affected Releases: 8.4(7), 9.1(5) Known Fixed Releases: * 100.11(0.49), 100.12(0.61), 100.12(6.14), 100.13(0.4), 100.13(11.7), 100.13(12.15), 100.13(15.5), 100.13(16.1), 100.13(17.1), 100.8(40.88) Alert Type: Updated * Bug Id: CSCub30181 Title: ASA doesn't set ACE inactive when time-range expires Status: Fixed Severity: 3 Moderate Description: Symptom: In some scenarios, after a time-range expires, an ASA does not mark the ACE as inactive. This causes traffic to be incorrectly permitted or denied after the time range is no longer valid. Conditions: This affects 8.4.1 - 8.4.4 version of ASA Workaround: Make any change to the ACL policy that will force it to re-apply the configuration. For example, move the start time of the time-range forward by 1 minute. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2012-3925 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 100.7(13.93), 8.4(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.115), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.4), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCus65997 Title: Failover State Link Must Support Directly Connected Redundant Interface Status: Fixed Severity: 3 Moderate Description: Symptom: When using stateful failover on Adaptive Security Appliances (ASA), a reloaded failover peer may select an inactive member of the redundant interface on the failover state link. As the result, the failover state link fails. Conditions: Failover ASA units use a pair of directly connected physical ports in a redundant interface configuration for the failover state link. Workaround: None Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(4), 9.1(5) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCuz41033 Title: dynamic crypto map fails if named the same as static crypto map Status: Fixed Severity: 3 Moderate Description: Symptom: Both the static and dynamic crypto maps using the same name . When ACL was configured under dynamic-map. IPSec tunnel was up, the traffic was dropped. Example: Ping fails Show asp drop shows following: "VPN overlap conflict (vpn-overlap-conflict) " Conditions: Both the static and dynamic crypto maps using the same name . When there is ACL configured under dynamic-map Workaround: Change either static crypto map name or dynamic crypto map name Or delete ACL from Dynamic map. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6.110), 9.1(7.4) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.2(4.11), 9.4(3.1), 96.2(0.20), 96.2(11.15), 97.1(0.15), 97.1(1.37), 97.1(3.8) Alert Type: Updated * Bug Id: CSCuv02619 Title: Standby ipv6 address setting is not replicated to standby Status: Fixed Severity: 3 Moderate Description: Symptom: Replicating of standby ipv6 settings is not replicated correctly. Conditions: In L2 firewall mode and multiple context mode. Workaround: 'write standby' twice on the active unit. Further Problem Description: none Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6.6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.67), 100.15(0.21), 100.15(1.40), 100.15(10.4), 100.15(15.4), 100.15(4.24), 100.15(8.9) Alert Type: Updated * Bug Id: CSCur76771 Title: scansafe feature is missing from registered module features Status: Fixed Severity: 3 Moderate Description: Symptom: Cisco's Cloud Web Security (formerly known as ScanSafe) is a feature available on ASA appliances. However, when enabled, this feature does not report its status via the command: show call-home registered-module status all This bug is filed to ensure the ScanSafe feature properly reports back its status to the system. Conditions: ScanSafe feature does not report back its status to the registered-module. Workaround: None Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.54), 100.11(0.55), 100.12(0.103), 100.12(0.108), 100.12(24.5), 100.13(0.12), 100.13(0.13), 100.13(1.13), 100.13(1.24), 100.13(11.23) Alert Type: Updated * Bug Id: CSCuz66269 Title: SCP Client not allow to enter password with "no ssh stricthostkeycheck" Status: Fixed Severity: 3 Moderate Description: Symptom: When copying a file to or from an ASA in either single or multi-context mode using Secure Copy (SCP), the CLI terminates prematurely with "permission denied" when "no sshhostkeycheck" is configured in single mode or in admin context under multi-context mode. If the user is connected to the ASA through a serial console, a "Password:" prompt is likely to be seen before the CLI ends. If the user is connected to the ASA through a ssh/telnet session, the "Password:" prompt may not be presented as it may be pending before the CLI ends. Conditions: 1) ASA running in single or multi-context mode from version 9.1(5) upwards. 2) Copying a file to or from the ASA using authenticated SCP with "no ssh stricthostkeycheck" configured in single mode or in admin context under multi-context mode. Workaround: When prompted for the user name, add the password after ":" character as the separator. For example: ASA/pri/act(config)# copy scp://192.168.1.1 disk0:asa916-140-k8.bin Address or name of remote host [10.252.11.19 ]? Source username []? username:password Further Problem Description: Last Modified: 28-MAY-2016 Known Affected Releases: 9.0(4), 9.1(5) Known Fixed Releases: * 96.2(0.36), 97.1(0.18), 97.1(1.47) Alert Type: Updated * Bug Id: CSCuz06153 Title: Incorrect msg shown when configuring MAC addr same as already configured Status: Fixed Severity: 3 Moderate Description: Symptom: Error message "ERROR: active address equals to burn-in address" shown when trying to configure manual MAC address for an interface of the ASA. Conditions: The MAC address is previously configured for the interface already. For example: ciscoasa(config)# show running-config interface gigabitEthernet 0/1 ! interface GigabitEthernet0/1 mac-address 0000.1000.1111 nameif csm security-level 0 no ip address ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# mac-address 0000.1000.1111 standby 0000.1000.2222 ERROR: active address equals to burn-in address Workaround: Remove the mac-address previously configured and re-add it, For example: ciscoasa(config)# show running-config interface gigabitEthernet 0/1 ! interface GigabitEthernet0/1 mac-address 0000.1000.1111 nameif csm security-level 0 no ip address ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# no mac-address 0000.1000.1111 ciscoasa(config-if)# mac-address 0000.1000.1111 standby 0000.1000.2222 Further Problem Description: Last Modified: 28-MAY-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 96.2(0.36), 97.1(0.18), 97.1(1.48) Alert Type: Updated * Bug Id: CSCuy91788 Title: ASAv: Free memory is reported as negative in an OOM condition Status: Fixed Severity: * 3 Moderate Description: Symptom: In a high memory usage condition on the virtual ASA, the free memory can be reported by 'show memory [detail]' as a very high number. For example as 18446744073447407616 bytes Conditions: Virtual ASA, high memory usage. Workaround: Treat such a value as an indication that memory is exhausted, or nearly so. Further Problem Description: Last Modified: 30-MAY-2016 Known Affected Releases: 96.2(1.155) Known Fixed Releases: 100.15(0.112), 9.5(2.8), 9.6(1.1), 96.1(1.87), 96.2(1.164), 96.2(11.4), 97.1(0.7), 97.1(1.9), 97.1(2.8), 97.1(3.4) Alert Type: Updated * Bug Id: CSCux85725 Title: ASA WebVPN: Java RDP Plugin does not launch Status: Fixed Severity: 3 Moderate Description: Symptom:Once logged in to the ASA's clientless WebVPN portal, clicking on an RDP bookmark [or URL] opens the Java RDP Plugin Page, with a note saying: Launching properJavaRDP session... Connecting to: However, the connection never succeeds. Conditions:ASA running release 9.1.6.7 or later Note: tested with JRE ver 1.8 u65 Workaround:No workaround for Java Using ActiveX based RDP [IE only] works. More Info:For customers who deploy * Clientless plug-ins (e.g. RDP, Telnet/SSH, VNC, Citrix) * Utilize Clientless VPN to access web pages that host Java applets their users may experience similar behaviors with different error messages. Last Modified: 31-MAY-2016 Known Affected Releases: 9.5(2), 96.1(1.45) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(40.114), 9.1(7.4), 9.2(4.6), 9.3(3.171), 9.3(3.8), 9.4(2.10) Alert Type: Updated * Bug Id: CSCuz61236 Title: ASA sends packets to SFR without untranslating destination IP Status: Open Severity: 3 Moderate Description: * Symptom: > ASA might send inbound packets to internal servers being NATed without un-translating L3 destination IP header. > Trace of packet captured on the ASA will show un-translation happening prior the SFR redirection (in example below from 2.2.2.2 to 3.3.3.3) : 21 packets captured 1: 14:58:08.678157 1.1.1.1.18963 > 2.2.2.2.443: S 1770012950:1770012950(0) win 8192 ... Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: object network vip-https nat (dmz,outside) static httpsoutside service tcp https https Additional Information: NAT divert to egress interface dmz Untranslate 2.2.2.2/443 to 3.3.3.3/443 > But packet capture and logs on Sensor still show destination IP address as 2.2.2.2 Conditions: > ASA version 9.5.1 > SFR module Sensor / 6.0.0 > Redirection of affected traffic affected to sensor inspection and NAT translation on the ASA Workaround: None. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz42986 Title: ASA(HA) doesn't send RST packets when sfr module shutdown Status: Fixed Severity: 3 Moderate Description: Symptom: The client does not receive RST packets when sfr modules of both ASA5506s(HA) are shutdown. Conditions: This issue occur on ASA5506/5508/5516 of HA. ASA5506/5508/5516 are set fail-close. Workaround: None Further Problem Description: None Last Modified: 31-MAY-2016 Known Affected Releases: 9.5(2), 9.6(1) Known Fixed Releases: * 96.2(0.38), 97.1(0.18), 97.1(1.49), 97.1(9.5) Alert Type: Updated * Bug Id: CSCuz16398 Title: Incorrect modification of NAT divert table. Status: Fixed Severity: 3 Moderate Description: Symptom: NAT divert table gets modified or rather the rule gets pushed to the bottom of the nat divert table list when we add the "no-proxy-arp/route-lookup" keyword to an already existing nat statement. Conditions: Just append an existing nat rule entry with the no-proxy-arp/route-lookup keywords to the nat statement without deleting the entry. Workaround: Delete the nat statement and re-add the entry with the keyword included by specifying the line number. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.2(4.5) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 100.8(40.118), 96.2(0.7), 96.2(11.12), 97.1(0.12), 97.1(1.25), 97.1(1.26), 97.1(3.6), 97.1(3.7) Alert Type: Updated * Bug Id: CSCuw74410 Title: * SSP: Low TCP CPS with NAT enabled Status: Terminated Severity: 3 Moderate Description: Symptom: Low TCP CPS with NAT enabled on a 3 node intra chassis cluster. Conditions: SSP 3 node intra chassis cluster with NAT enabled. Workaround: Awaiting for more information from the submitter to analyze and either fix or provide a workaround for this issue. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 100.15(0) Known Fixed Releases: Alert Type: New Bug Id: CSCuz88153 Title: ASA keeps Dropping FIN for a long period of time after failover Status: Open Severity: 3 Moderate Description: Symptom: FIN or FIN/ACK should be dropped due to "TCP replicated flow pak drop" just after failover. It is an expected behavior. But actually, it persists for a long period of time. So in case TCP session is about to be ended and each node is trying to send FIN to close session, ASA keeps dropping FIN packet and therefore, TCP session cannot be ended. Conditions: Workaround: None. But if one side send RST instead of FIN, it will pass through ASA and session can be forcibly closed. RST is not dropped by "TCP replicated flow pak drop" when just after failover. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCui75179 Title: Securely-served auto-update reply message can serve insecure URLs Status: Terminated Severity: 3 Moderate Description: * Symptom: The Cisco Adaptive Security Appliance (ASA) can be configured to utilize the HTTPS transport for the connection to the auto-update server. The URLs provided in the response from the auto-update server can be configured to utilize HTTP for the transfer of the updated component. Conditions: An ASA configured for auto-update functionality. Workaround: Ensure all URLs utilized for auto-update functionality are configured for utilizing the HTTPS transport. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 05-MAY-2016 Known Affected Releases: 9.0(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz50992 Title: ACI ASA DP: Require 'standby IP' L4-L7 parameter Status: Fixed Severity: 3 Moderate Description: Symptom: The standby unit of the ASA HA pair goes down. The active unit continually loses failover communications with the standby unit. The standby unit becomes unreachable via out-of-band management. A fault with description "Device configuration resulted in *Major script error : Configuration error : **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit." is present. Conditions: The Management Standby IP Address is only configured on the APIC-side CDev corresponding to the HA primary unit. To trigger, delete and re-add the vnsRsCIfAttN MO's associated with the failover links. Alternatively, trigger a deviceValidate operation on the standby unit's CDev. Workaround: Manually re-configure failover, add 'Management Standby IP Address' parameter on the APIC, and then re-enable failover. Further Problem Description: Last Modified: 11-MAY-2016 Known Affected Releases: 9.3(0.102) Known Fixed Releases: * 1.2(6.3) Alert Type: Updated * Bug Id: CSCuz56618 Title: asa-dp: serviceAudit generates wrong CLIs for NAT Status: Fixed Severity: 3 Moderate Description: Symptom: Use the device package to generate the following nat CLIs on ASA: nat (outside,internal1) source static any any nat (outside,internal) source static any any The invoke the serviceAudit on the same device, and expects that no configuration will be generated. However, the operation generate the following CLIs: no nat (outside,internal) source static any any no nat (outside,internal1) source static any any Conditions: Configure two graphs sharing the same NATList. Workaround: Each graph uses a different NATList. Further Problem Description: Last Modified: 11-MAY-2016 Known Affected Releases: 1.2(5.5) Known Fixed Releases: * 1.2(6.3) Alert Type: Updated * Bug Id: CSCuz42674 Title: asa-dp: serviceAudit throws exception Status: Fixed Severity: 3 Moderate Description: Symptom: serviceAudit throws exception: I am getting random errors from the DP when I instantiate and uninstantiate a graph with NAT. It results in the NAT config either not getting applied or not getting removed: 2016-04-27 10:44:34.160270 DEBUG Thread-9 674911 [10.122.57.136, 41835] result: serviceAudit {'stats': {'max': 6.565932989120483, 'num': 1663, 'last': 1.571537971496582, 'avg': 1.8268042921088077, 'min': 0.7275519371032715}, 'result': {'faults': [([(0, '', 20353)], 30, 'Unexpected exception: argument of type \'NoneType\' is not iterable\nTraceback (most recent call last):\n File "/install/device_script.py", line 132, in handler\n f(*argv, **kwargs)\n File "/install/device_script.py", line 695, in audit_operation\n sts, features)\n File "/install/translator/devicemodel.py", line 337, in generate_asa_delta_cfg\n ifc_delta_cfg = generate_ifc_delta_cfg(ifc_cfg, asa_cfg, device, interfaces, features)\n File "/install/translator/devicemodel.py", line 317, in generate_ifc_delta_cfg\n translator = asa.get_translator(cli)\n File "/install/translator/base/dmobject.py", line 284, in get_translator\n result = child.get_translator(cli)\n File "/install/translator/rule/nat_rule.py", line 444, in get_translator\n nat_policy, nat_list_name, firewall_interfaces = self.find_nat_list(interfaces)\n File "/install/translator/rule/nat_rule.py", line 432, in find_nat_list\n if all(map(lambda x: x in firewall_interfaces, interfaces)):\n File "/install/translator/rule/nat_rule.py", line 432, in \n if all(map(lambda x: x in firewall_interfaces, interfaces)):\nTypeError: argument of type \'NoneType\' is not iterable\n')], 'state': 2}} Conditions: A service-graph has neither ExIntfConfigRelFolder nor InIntfConfigRelFolder defined, and you have NAT configuration. Workaround: Make sure each service-graph have both ExIntfConfigRelFolder and InIntfConfigRelFolder defined. Further Problem Description: Last Modified: 11-MAY-2016 Known Affected Releases: 1.2(5.5) Known Fixed Releases: * 1.2(6.3) Alert Type: New Bug Id: CSCuv50223 Title: DOC: arp permit-nonconnected CLI is available on system context Status: Open Severity: 3 Moderate Description: Symptom: arp permit-nonconnected CLI is available on system context. After enabling this command on system context, this command is automatically enabled on each context. This is request of this description on published document. Conditions: Using Multiple context mode Workaround: Further Problem Description: Last Modified: 13-MAY-2016 Known Affected Releases: 8.4(5), 9.0(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy43438 Title: L2TP over IPSec can not be connected after disconnection from client. Status: Fixed Severity: 3 Moderate Description: Symptom: L2TP over IPSec can not be reconnected for a while after disconnection from client. Conditions: - Disconnect from client with network disruption. Workaround: - Waiting for a few minutes. Further Problem Description: Last Modified: 13-MAY-2016 Known Affected Releases: 8.4(7.23), 9.1 Known Fixed Releases: * 8.4(7.175), 8.4(7.176), 8.4(7.177) Alert Type: New Bug Id: CSCuz66780 Title: FTD default logging messages shown after removing all of them Status: Open Severity: 3 Moderate Description: Symptom: By default in Syslog settings on FMC there is a list of disabled syslog messages. firepower# sh run logging no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 When you are deleting all syslog messages that are disabled by default, it will show you empty field on FMC, but on CLI output you'll see the default settings. It's not cosmetic issue, as these syslog messages is not shown in ?show log? output. Conditions: Workaround: Add a random syslog ID and make sure that it is enabled. Further Problem Description: Last Modified: 14-MAY-2016 Known Affected Releases: DULCE_VIDA Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtk35575 Title: Debug trace for mps_shash_release with logging. Status: Fixed Severity: 3 Moderate Description: Symptom: Seeing debug trace related to mps_shash_release with logging Conditions: mps_shash_release attempted to process_suspend but failed because tmatch_release_actual acquired a lock. The syslog reported such failure. But in fact, the process_suspend is not needed in this particular case, because the we have removed all elements in the hash table before releasing it. Workaround: The original intention for the process_suspend here is to prevent watchdog in mps_shash_release when many elements are still in there. In other words, the syslogs I saw is a false alarm. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.4(0.106) Known Fixed Releases: * 100.15(0.112), 9.5(2.6), 9.6(0.99), 9.6(1), 96.1(1.65), 96.2(1.118) Alert Type: Updated * Bug Id: CSCuw96630 Title: ASAv fails to boot Status: Fixed Severity: 3 Moderate Description: Symptom: The ASAv attempts to verify its image during bring up, but ends up failing with a console message of... The digital signature of the booted image file did not verify successfully. 57 (Unable to get the platform key storage size or key is corrupted) Rebooting now... Conditions: Failure can occur when deploying the ASAv on non-UCS host machines. Workaround: No workaround is available. Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.4(1.203) Known Fixed Releases: * 100.14(0.83), 100.15(0.84), 100.15(20.16), 100.15(8.28), 100.16(0.9), 100.16(1.34), 100.16(14.1), 9.5(1.99), 9.5(2), 9.6(0.99) Alert Type: Updated * Bug Id: CSCus08552 Title: show traffic protocol stats show large counter values-enhanced pkt stats Status: Fixed Severity: 3 Moderate Description: Symptom: show traffic protocol statistics show huge counter values after enhanced packet stats are enabled . Conditions: After enhanced packet statistics are enabled with the command "sysopt traffic detailed-statistics", some of the counter values arevery large as displayed wiht "show traffic" command. Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 100.12(0.101), 9.3(1.108) Known Fixed Releases: * 100.12(0.156), 100.13(0.127), 100.15(0.112), 9.4(2.99), 9.4(3), 9.6(0.99), 9.6(1), 96.1(1.59), 96.2(1.110) Alert Type: Updated * Bug Id: CSCuu61981 Title: http servershows as enable in running config while not Status: Fixed Severity: 3 Moderate Description: Symptom: When configuration command "http server enable" fails due to port usage conflict with AAA with error message ERROR: Port 443 is being used on interface public by an aaa authentication listener", the configuration is incorrectly updated to include "http server enable". Conditions: When configuration "http server enable [port-number] is attempted but the designated port is already in use (e.g., by AAA). Workaround: remove the conflict configuration before "http server enable" Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCtj56778 Title: Incorrect ARP MAC Address conversion Status: Fixed Severity: 3 Moderate Description: Symptom: ASA converts the following cli arp inside 1.2.3.4 abc.de.f to arp inside 1.2.3.4 ab0c.de00.0f00 it should convert to arp 1.2.3.4 0abc.00de.000f like IOS and IPv6 Neighbor cache Conditions: Workaround: Enter proper mac address Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.16(14.1), 100.16(15.7) Alert Type: Updated * Bug Id: CSCux35272 Title: ASA TCP normalizer checksum verification cannot be disabled Status: Fixed Severity: 3 Moderate Description: Symptom: When ASA processes traffic that is L7 inspected or has to be redirected to a module (e.g. IPS, CX, SFR etc) there is need to normalize it first. One of the things that is checked during the normalization process is TCP checksum verification. If a packet has a wrong TCP header checksum the normalizer will drop it. This will be shown in the ASA ASP drops as 'bad-tcp-cksum'. Theoretically the ASA can be configured to ignore bad TCP checksums. Here is an example: tcp-map IGNORE_TCP_CHECKSUM no checksum-verification ! policy-map SFR_PMAP class SFR_CMAP sfr fail-open set connection advanced-options IGNORE_TCP_CHECKSUM service-policy SFR_PMAP interface NET1 This defect is filed since even if the ASA is configured to ignore TCP checksum verification it is still doing it and the packet with the bad checksum is getting dropped with drop-reason: (bad-tcp-cksum). Conditions: L7 inspection or redirection to module is enabled so that TCP normalizer is on. Workaround: Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.5(1.5) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 100.8(40.111), 9.1(7.5), 9.2(4.9) Alert Type: Updated * Bug Id: CSCuv88898 Title: WEBVPN Rewriter: Stops mangling after hex code of Period on Bookmark URL Status: Fixed Severity: 3 Moderate Description: Symptom: When the hex code of the characters on a URL is used on the bookmark for Clientless webvpn, the URL mangling stops after the Hex equivalent of "period" is seen. For example : For http://www.cisco.com we use "http://www.cisco.com" The mangled URL looks like this https://ASA IP/+CSCO+0h756767633A2F2F6A6A6A++/.cisco.com The mangling stops at . which is the Hex equivalent for "period" Conditions: HEX code is used on the Bookmark URL Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.106), 100.14(0.76), 100.15(0.39), 100.15(17.14), 100.15(3.63), 100.15(8.16), 100.16(0.2), 100.16(1.3) Alert Type: Updated * Bug Id: CSCui20213 Title: 5585 interface counters show 0 for working interfaces and console errors Status: Fixed Severity: 3 Moderate Description: Symptom: The output of 'show interface' could show counters that have not incremented and are all stuck at 0, even though the interface is actively passing traffic (the input and output packet rates are non-zero). Example: Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is bcm56801 rev 01, BW 1000 Mbps, DLY 10 usec Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address xxxx.xxxx.xxxx, MTU 1500 IP address 10.0.0.2, subnet mask 255.255.255.224 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause/resume input 0 L2 decode drops 0 switch ingress policy drops 0 packets output, 0 bytes, 0 underruns 0 pause/resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 rate limit drops 0 switch egress policy drops 0 input reset drops, 0 output reset drops Traffic Statistics for "outside": 7535042 packets input, 8722096534 bytes 8312179 packets output, 5806296169C3SR-Preview for 5806296169 bytes 6413 packets dropped 1 minute input rate 12208 pkts/sec, 14102277 bytes/sec 1 minute output rate 13488 pkts/sec, 9085510 bytes/sec 1 minute drop rate, 6 pkts/sec 5 minute input rate 12883 pkts/sec, 15164633 bytes/sec 5 minute output rate 13085 pkts/sec, 8124951 bytes/sec 5 minute drop rate, 8 pkts/sec Control Point Interface States: Interface number is 6 Interface config status is active Interface state is active Additionally, the following messages might be seen on the console of the ASA: 8841: Message #1162 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8842: Message #1163 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8843: Message #1164 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8844: Message #1165 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8845: Message #1166 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 Conditions: Only the ASA 5585 platforms are affected by this problem. The 'bcmCNTR.0' process will not be present in the output of 'show process'. Example: Note the bcmCNTR.0 is not listed in the output below: ciscoasa/pri/stby# show proc | inc bcm Mwe 0x0000000001d94c98 0x00007ffaa8510748 0x00007ffad2bf43d0 0 0x00007ffaa8508960 32224/32768 bcmXGS3AsyncTX Mwe 0x0000000001d94c98 0x00007ffaa93e6b08 0x00007ffad2bec100 0 0x00007ffaa93ded00 32256/32768 bcmTX Msi 0x00000000021e6b25 0x00007ffaa9523e98 0x0000000005bad7d0 523950 0x00007ffaa951c000 30136/32768 bcmPOLL Mwe 0x0000000001d94cde 0x00007ffad8badaf8 0x00007ffad2beb650 8688473 0x00007ffad8ba5d20 28568/32768 bcmLINK.0 Mwe 0x0000000001d94c98 0x00007ffaa7a62aa8 0x00007ffaa7a5ac10 0 0x00007ffaa7a5ac80 32288/32768 bcmDPC Mwe 0x0000000001d94cde 0x00007ffaa94b43e8 0x00007ffad2beb6c0 4251733 0x00007ffaa94ac600 29416/32768 bcmCNTR.0 Mwe 0x0000000001d5cdaa 0x00007ffaa7a5a7f8 0x00007ffaa7a27fb8 0 0x00007ffaa7a52980 32368/32768 bcm_esw_surprise_reset.0 Msi 0x0000000001d65998 0x00007ffad8bb5bf8 0x0000000005bad7d0 211236 0x00007ffad8badd70 30008/32768 bcm_esw_poll Mwe 0x0000000001d63468 0x00007ffad8bbdc08 0x0000000005b11590 4 0x00007ffad8bb5dc0 29496/32768 bcm_esw_ioctl_task_handler ciscoasa/pri/stby# Workaround: Rebooting the ASA should restore the interface statistic information. Further Problem De Last Modified: 16-MAY-2016 Known Affected Releases: 100.8(53.2), 100.9(7.27), 8.4(7), 9.1(4) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.80), 100.15(20.15), 100.15(8.27), 100.16(0.8), 100.16(1.30), 100.16(14.1) Alert Type: Updated * Bug Id: CSCuq27754 Title: WebVPN client browser doesn't show all content from flash site Status: Fixed Severity: 3 Moderate Description: Symptom: When www.loreal.com is accessed through Clientless SSL VPN portal page, flash content on the www.loreal.com is not displayed. Conditions: Seen on both Mac OS X v10.9 with FireFox v28, v30 and Safari v7.x and on WIndows 7 with FireFox v28 and Internet Explorer v11 Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.2(1.102) Known Fixed Releases: * 100.13(0.112), 100.14(0.78), 100.15(0.51), 100.15(17.21), 100.15(3.73), 100.15(8.17), 100.16(0.3), 100.16(1.7), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCur19070 Title: PBR:Route-map is accepting interface which is not configured with nameif Status: Fixed Severity: 3 Moderate Description: Symptom: Route-map is accepting interface name substring after giving ambiguous command error while configuring Conditions: Configure two nameif interface with name test1 and test2, now when calling out interface "test" under route-map set interface, ASA is complaining ambiguous command but configured "test1" in route-map Workaround: No Workaround Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 100.13(12.13), 9.4(1) Known Fixed Releases: * 100.15(0.105), 100.16(0.15), 100.16(1.74), 100.16(1.76), 100.16(12.2), 100.16(14.1), 9.6(0.99), 9.6(1), 96.1(1.21), 96.1(1.26) Alert Type: Updated * Bug Id: CSCuv35050 Title: ASA - slow NFSv3 transfer with sunrpc inspection Status: Fixed Severity: 3 Moderate Description: Symptom: When sunrpc inspection is enabled, NFSv3 file transfer is observed with out-of-order pairs (of packets) on the egress interface while there are no out-of-order packes on the ingress interface. This issue doesn't seem to cause any retransmission or the slowness of file transfer. Conditions: ASA running 9.1.x with sunrpc inspection enabled and large file transfer. Workaround: Disable inspection or configure TCP state bypass, decrease sunrcp timeout to much lower value so that secondary data connection times out. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(3) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.112), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCuu88412 Title: When > 510 characters entered in CLI, context switches to admin/system Status: Fixed Severity: 3 Moderate Description: Symptom: When user exceeded 510 characters from the CLI and is not within the admin/system context, user is unintentionally switched into the "admin/system" context. This issues was observed when running the command on ASASM after first logging into the 6500 switch and performing a "session" connection to the module. Conditions: ASASM with v9.1.6.1 Workaround: none Further Problem Description: none Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20) Alert Type: Updated * Bug Id: CSCuv27432 Title: enhancements to logging debug-persist Status: Fixed Severity: 3 Moderate Description: Symptom: This is an enhancement request for the following: 1) Able to save logging debug-persist in the config file to retain across reboots. 2) Enhance show debug to display persistent debugs as well 3) Able to selectively clear debugs enabled in one session from a different session. 4) Enable persistent debugs using "logging debug-trace persistent" command. Conditions: This is an enhancement request Workaround: This is an enhancement request Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.84), 100.15(20.16), 100.15(8.28), 100.16(0.9), 100.16(1.34), 100.16(14.1), 9.5(1.99), 9.5(2), 9.6(0.99), 9.6(1) Alert Type: Updated * Bug Id: CSCux09040 Title: ASA not denying initial SYN to non gateway of host Status: Fixed Severity: 3 Moderate Description: Symptom: ASA completes 3-way handshake for Telnet/SSH control traffic (to-the-box) when initial SYN should be denied. Conditions: Tested on ASA running 9.2.3.4 and 9.3.1 images. SSH/Telnet enabled Client sends control traffic to non gateway interface Workaround: create specific denies for control plane traffic via ACL disable SSH/Telnet upgrade to 9.4.1 Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.2(3.4), 9.3(1) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCux63770 Title: IPAA needs improved debugging - Part 2- add Syslogs 737034-737036 Status: Fixed Severity: 3 Moderate Description: Symptom: Hard to troubleshoot errors during DHCP assigning addresses with IPAA Conditions: Error path conditions Workaround: None Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.109), 100.16(0.19), 100.8(40.113), 9.0(4.212), 9.1(6.117), 9.1(7), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuz41308 Title: zone keyword seen in show route interface Status: Fixed Severity: 3 Moderate Description: Symptom: zone keyword seen in show route interface Conditions: zone keyword seen in "show route interface" which is not expected. Workaround: none Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 96.2(0.6) Known Fixed Releases: * 96.2(0.16), 96.2(11.13), 97.1(0.15), 97.1(1.34), 97.1(3.7), 97.1(9.1) Alert Type: New Bug Id: CSCtc52939 Title: udp open does not recognize ports open in multi-mode. Status: Open Severity: 3 Moderate Description: $$IGNORE Symptom: In multi-mode, if there is a static rule configured for a particular port using UDP protocol, and any other feature tries to use the same port as the configured rule, no warning message is displayed when the feature tries to use the port. Conditions: Only seen in multi-mode and when a static rule is configured on a port that uses UDP. Workaround: Use a different port for the feature than the port configured in the static rule. Further Problem Description: Last Modified: 18-MAY-2016 Known Affected Releases: 8.0 Known Fixed Releases: Alert Type: New Bug Id: CSCuy85511 Title: libxml2 htmlParseNameComplex() Function Denial of Service Vulnerabilit Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-2073 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:U/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2016-2073 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 18-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy68174 Title: Coverity 114166: NULL_RETURNS in ss_send_health_check_request Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 18-MAY-2016 Known Affected Releases: * 100.11(0.71), 100.13(0.132), 100.15(0.111), 96.1(1.83), 96.2(1.147), 97.1(1.5) Known Fixed Releases: 100.15(0.112), 96.1(1.86), 96.2(1.158), 96.2(11.2), 97.1(0.6), 97.1(1.8), 97.1(2.4), 97.1(3.2), 97.1(4.2), 97.1(5.2) Alert Type: Updated * Bug Id: CSCuy81415 Title: Coverity 114302: SECURE_CODING in send_sync_request Status: Terminated Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: * 96.2(0.32), 96.2(1.154), 97.1(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy81413 Title: Coverity 114300: SECURE_CODING in send_ack_request Status: Terminated Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: * 96.2(0.32), 96.2(1.154), 97.1(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy72285 Title: Coverity 114204: MISSING_LOCK in newStorageItem Status: Other Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: * 96.2(0.32), 96.2(1.147), 97.1(1.42) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy72279 Title: Coverity 114193: DEADCODE in SmartAgentReservationInstall Status: Other Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: * 96.2(0.32), 96.2(1.147), 97.1(1.42) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz72495 Title: asa-dp: namif of interface missing from ASA on creating service graph Status: Fixed Severity: 3 Moderate Description: * Symptom: On creating the new service graph, the nameif of the interface of a connector is not set on the ASA. Conditions: The Interface folder is created before hand but empty. At the time of creating the graph, configure the details of the Interface folder as well. Workaround: Trigger an serviceAudit operation. Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: 1.2(5.5) Known Fixed Releases: 1.2(6.5) Alert Type: Updated * Bug Id: CSCuy72286 Title: Coverity 114205: MISSING_LOCK in newStorageItemForChar Status: Other Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: * 96.2(0.32), 96.2(1.147), 97.1(1.42) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy72287 Title: Coverity 114206: MISSING_LOCK in newStorageItemForChar Status: Other Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: * 96.2(0.32), 96.2(1.147), 97.1(1.42) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus14147 Title: ASA generate pool exhausted for sip inspect with embedded IP but no port Status: Fixed Severity: 3 Moderate Description: * Symptom: When ASA receive UDP SIP message Status: 200 OK for not existing transaction the syslog "%ASA-3-202010: NAT/PAT pool exhausted. Unable to create connection" is generated. NAT does return success and SIP sends out the packet. Conditions: ASA is configured with sip inspection. PAT is configured for sip traffic. Workaround: NONE Further Problem Description: Last Modified: 20-MAY-2016 Known Affected Releases: 9.1(2), 9.1(3), 9.1(5), 9.2(2.4), 9.3(1) Known Fixed Releases: 100.11(0.56), 100.12(0.112), 100.13(0.27), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.3), 100.14(11.3) Alert Type: Updated * Bug Id: CSCuu40736 Title: Capture <name> type inline-tag interface <name> defaults to tag value 0 Status: Fixed Severity: 3 Moderate Description: Symptom: User sees only packets with tag value= 0 in packet capture Conditions: capture type inline-tag interface Workaround: capture type raw-data interface Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 99.1(2.160) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 96.2(0.17), 96.2(11.14), 97.1(0.15), 97.1(1.36), 97.1(3.8), 97.1(9.1) Alert Type: Updated * Bug Id: CSCuh89500 Title: ASA: ifSpeed/ifHighSpeed not populated by SNMP for port-channel Status: Fixed Severity: 3 Moderate Description: Symptom: When polling ifSpeed/ifHighSpeed for port-channel interfaces on an ASA, the ASA returns a value of 0: Interface Port-channel1 "outside", is up, line protocol is up Hardware is EtherChannel/ON, BW 2000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) ifDescr: .1.3.6.1.2.1.2.2.1.2.34 = STRING: Adaptive Security Appliance 'outside' interface ifSpeed: .1.3.6.1.2.1.2.2.1.5.34 = Gauge32: 0 ifHighSpeed: .1.3.6.1.2.1.31.1.1.1.15.34 = Gauge32: 0 Conditions: port-channel is configured. Workaround: Poll individual interfaces and link status Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 96.2(0.26), 96.2(11.16), 97.1(0.16), 97.1(1.39), 97.1(3.8), 97.1(9.1) Alert Type: Updated * Bug Id: CSCuu54582 Title: ASA-SFR, ASA should attempt to join Cluster after SFR service module up Status: Fixed Severity: 3 Moderate Description: Symptom: With an ASA 5585 cluster configured, and with the service card health checks enabled, when the ASA and SFR are both rebooted, sometimes the slave ASA is booted out of the cluster, since it attempts to join the cluster when the SFR is not finished booting, and therefore fails the health check. On the master, the following messages are seen: Cluster unit EDGE2 transitioned from DISABLED to SLAVE Asking slave unit EDGE2 to quit due to Security Service Card health check failure, and its Security Service Card state is CLUSTER_SSM_DOWN FROM EDGE2: Unit is kicked out from cluster because of SSM card health check failure. Conditions: With ASA 5585 clustering enabled, and both ASA and SFR are booting up at the same time, if the SFR takes longer to boot than the ASA. Workaround: Manually add the ASA into the cluster once the SFR is finished booting. Check when SFR is ready by running 'show module' and ensuring that both the control and data plane for SFR are up. # conf t # cluster group # enable Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 100.14(0.22), 9.5(2.6) Known Fixed Releases: * 100.15(0.118), 96.2(0.29), 96.2(11.16), 97.1(0.17), 97.1(1.41), 97.1(3.8), 97.1(9.1) Alert Type: Updated * Bug Id: CSCuz60555 Title: ASA-2-321006 May be received invalidly when memory is not high Status: Fixed Severity: 3 Moderate Description: Symptom: Syslog message %ASA-2-321006 may be reported in error. The syslog message should only be received under the following Conditions: The system memory usage has reached 80 percent or more and remains at this level for five minutes. Syslogs enabled at level 2. Workaround: The memory reported in this message may be cosmetic. The true amount of free memory can be seen in the output of "show memory detail". Disable logging of ASA-2-321006 if it is deemed cosmetic. no logging message 321006 Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 9.4(2.3) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 96.2(0.32), 96.2(11.16), 97.1(0.17), 97.1(1.43), 97.1(3.8), 97.1(9.3) Alert Type: Updated * Bug Id: CSCuy93963 Title: Radius EAP authentication fails for ikev1 L2TP Windows VPN clients Status: Terminated Severity: 3 Moderate Description: * Symptom: Native ikev1 l2tp Windows VPN client authentication fails after upgrading the ASA from 9.0(3) to 9.1 or higher. Conditions: -- Native ikev1 l2tp Windows VPN to ASA -- certificate based user authentication by radius server -- authentication eap-proxy used (EAP-TLS) Workaround: downgrade to ASA 9.0(4)38 or lower Further Problem Description: Last Modified: 22-MAY-2016 Known Affected Releases: 9.1(6.11), 9.2(4) Known Fixed Releases: Alert Type: New Bug Id: CSCuy85514 Title: Sudo Symbolic Link Handling Arbitrary File Access Vulnerability Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-5602 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.5: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:L/AC:H/Au:S/C:C/I:C/A:N/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-5602 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 23-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0 Known Fixed Releases: Alert Type: New Bug Id: CSCuz77715 Title: Doc: Improve messaging around disabling health-check for adding slave Status: Open Severity: 3 Moderate Description: Symptom: The ASA clustering configuration guide mention that we need to disable health-check in order to add a slave with the bad interface to the cluster. It needs to have more details on how to disable health- check ( we need to disable interface monitoring as well ) Conditions: NA Workaround: A Further Problem Description: Last Modified: 23-MAY-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz76098 Title: ASA slave cannot join cluster due to 4096 key size Status: Terminated Severity: 3 Moderate Description: * Symptom: Slave unit of 2 unit cluster cannot rejoin cluster due to issues concerning SSL. Debug messages below: debug crypto ca cluster =================== %ASA-6-725007: SSL session with server cluster:x.x.x.x/50056 to x.x.x.x/10847 terminated %ASA-6-725007: SSL session with client cluster:x.x.x.x/22749 to x.x.x.x/10843 terminated %ASA-6-725007: SSL session with client cluster:x.x.x.x/26811 to x.x.x.x/10847 terminated Conditions: Observed on Spyker (SSP-20) platform running 9.4.2 crypto key size configured was 4096 bytes. Cluster/admin# sh crypto key mypubkey rsa Key pair was generated at: 05:49:58 GMT Feb 6 2016 Key name: Usage: General Purpose Key Modulus Size (bits): 4096 Key Data: Workaround: create a smaller rsa keypair 'cry key gen rsa modulus 2048' Further Problem Description: Last Modified: 24-MAY-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: Alert Type: New Bug Id: CSCuz05856 Title: XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion Denial Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-3627 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:U/RC:UC The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2016-3627 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0 Known Fixed Releases: Alert Type: New Bug Id: CSCux85528 Title: XMLSoft libxml2 XML Entity Processing Denial of Service Vulnerability Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-7500 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-7500 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0 Known Fixed Releases: Alert Type: New Bug Id: CSCux85533 Title: XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service Vulnerabili Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-8317 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-8317 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0 Known Fixed Releases: Alert Type: New Bug Id: CSCux85532 Title: XMLSoft libxml2 xmlNextChar Function Memory Corruption Vulnerability Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-8241 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.8: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:P/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-8241 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0 Known Fixed Releases: Alert Type: New Bug Id: CSCux85527 Title: XMLSoft libxml2 xmlParserInputGrow Function Denial of Service Vulnerab Status: Open Severity: 3 Moderate Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-7499 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-7499 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-MAY-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv34906 Title: IPv6 packets with a next header of 8 is dropped by failover code Status: Fixed Severity: 3 Moderate Description: Symptom: When IPv6 next header values is 8 coming to ASA will be dropped. Conditions: When IPv6 next header values is 8 coming to ASA will be dropped. Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.87), 100.14(0.67), 100.15(0.20), 100.15(1.35), 100.15(10.4), 100.15(2.66), 100.15(4.23), 100.15(5.27) Alert Type: Updated * Bug Id: CSCur02239 Title: ASA ACL hitcount not correct for ACLs with service object groups Status: Fixed Severity: 3 Moderate Description: Symptom: For ACLs with service object groups the overall hitcount in show access-list output is not correctly calculated. The total hitcount is only incremented if we hit the first ACL entry. Conditions: +ACL with service object groups Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(3) Known Fixed Releases: * 100.11(0.49), 100.12(0.57), 100.13(0.4), 100.13(11.6), 100.13(12.10), 100.13(13.1), 100.13(14.3), 100.13(15.4), 100.13(16.1), 100.13(17.1) Alert Type: Updated * Bug Id: CSCuu92632 Title: ASA sets non-zero FA in OSPF for anyconnect redistrubuted network Status: Fixed Severity: 3 Moderate Description: Symptom: Re-distribution of anyconnect static routes on ASA 9.x doesn't work. The output of the command "show ospf database external" shows the forward address being set to non-zero/incorrect value. ciscoasa# show ospf database external 10.0.103.161 OSPF Router with ID (172.16.10.1) (Process ID 1) Type-5 AS External Link States LS age: 1503 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.0.103.161 (External Network Number ) Advertising Router: 172.16.10.1 LS Seq Number: 80000001 Checksum: 0xfff4 Length: 36 Network Mask:255.255.255.255 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 172.16.10.10 <---------------- External Route Tag: 0 Conditions: - ASA with OSPF enabled - redistributing Anyconnect VPN static addresses into OSPF - Anyconnect VPN terminates on the same interface where distribution is performed Workaround: Route redistributed network to the Null0 interface Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.15(0.20), 100.15(1.33), 100.15(10.3), 100.15(2.65), 100.15(3.16), 100.15(4.20) Alert Type: Updated * Bug Id: CSCuq78238 Title: Inspect rule defaults in standby transparent context on write standby Status: Fixed Severity: 3 Moderate Description: Symptom: A default inspection rule is seen in the running configuration of standby context of ASA, but not in active context. Conditions: 1. The context is in transparent mode. 2. The ASA is multiple mode. 3. ASA is running a 9.x version. 4. Write Standby was issued on active context. Workaround: 1. Do not use write standby. Write Standby command should not be used in normal circumstances. It should be used only if config mismatch is suspected. 2. Remove the inspect rule from standby manually. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(4.20), 9.1(5.12), 9.2(2.4) Known Fixed Releases: * 100.11(0.51), 100.12(0.71), 100.12(23.2), 100.12(6.21), 100.13(0.7), 100.13(11.12), 100.13(12.17), 100.13(15.8), 100.13(16.2), 100.13(17.2) Alert Type: Updated * Bug Id: CSCup89922 Title: ASA DNS lookups always prefer IPv6 response Status: Fixed Severity: 3 Moderate Description: Symptom: A DNS server configured on the ASA will always use IPv6 DNS requests (type=AAAA) if any of the interfaces are configured with IPv6. There is no way to prevent this behaviour, or make the ASA prefer and sending type=A requests. Conditions: This only occurs if IPv6 is enabled on any interface of the ASA, even if no Globally Unique Address is assigned. If IPv6 is enabled, then the ASA only makes Type=AAAA DNS requests. This will always result in an IPv6 DNS response, and potentially cause features that depend on DNS to fail (ie. Smart Call Home). Workaround: Disable all IPv6 addresses on the ASA. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(0.2), 9.1(1), 9.1(5) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu13345 Title: Drop reasons missing from asp-drop capture Status: Fixed Severity: 3 Moderate Description: Symptom: Drop reasons missing from asp-drop capture. Conditions: Viewing capture with "show capture -or- Downloading via HTTP with https:///capture/ Workaround: None Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0 Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.12(0.128), 100.13(0.77), 100.13(0.78), 100.13(21.15), 100.13(21.16), 100.14(0.27), 100.14(0.35), 100.14(10.23) Alert Type: Updated * Bug Id: CSCuu41142 Title: IPv6 local host route fail when setting link-local/Global simultaneously Status: Fixed Severity: 3 Moderate Description: Symptom: When configuring link local address and global address simultaneously by copy&paste from text editor, IPv6 local host route cannot be seen on "show ipv6 route". For example, assume trying to set 2001:1111:1111:111::1/128 as IPv6 address on interface, local host routing table of 2001:1111:1111:111::1/128 should be set but was not set in certain situation. ciscoasa/C1(config-if)# sh ipv6 route IPv6 Routing Table - 3 entries Codes: C - Connected, L - Local, S - Static O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001:1111:1111:111::/64 [0/0] via ::, outside L fe80::/10 [0/0] via ::, outside L ff00::/8 [0/0] via ::, outside The following local host routing should be set. L 2001:1111:1111:111::1/128 [0/0] via ::, outside Conditions: The symptom only occurs when changing link local address and global address simultaneously. Therefore, symptom does not occur when not changing link local address or configuring link local address and global address 1 line by 1 line. Workaround: - Configure link local address and global address 1 line by 1 line(Do not use copy&paste multiple lines) - Not change link local address when configuring global address Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.59), 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuu54660 Title: ASA Remote Access - Phase 1 terminated after xauth Status: Fixed Severity: 3 Moderate Description: Symptom: IPSEC remote access clients are intermittently not able to connect. The user is prompted for password and then the connection fails. From the ASA debugs we can see the Phase 1 and X-auth + config mode are passing fine. Then the ASA deletes the Phase 1, sends delete information to the client and discards QM1 packet sent by the client. Conditions: MacOS / iOS bult in IPSEC VPN client. Clients behind NAT. More detailed triggers unknown. Workaround: Reload the ASA. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuq39567 Title: Traceback in Thread Name qos_metric_daemon caused by asdm history enable Status: Fixed Severity: 3 Moderate Description: Symptom: ASA can crash in Thread Name qos_metric_daemon when "asdm history enable" is configured in context #31. Conditions: This was first found in 9.2(1) software version. Other versions can be affected as well. Workaround: Do not enable ASDM history in more than 30 contexts. Further Problem Description: Console says: P23-FW-5545-E01-E02/PLC3-MC-OC(config)# ! 31 P23-FW-5545-E01-E02/PLC3-MC-OC(config)# changeto context PLC3-MD-OC P23-FW-5545-E01-E02/PLC3-MD-OC(config)# asdm history enable Can't start the ASDM metric history Usage: asdm disconnect [log_session] [no] asdm history enable [no] asdm location [no] asdm location [no] asdm group [no] asdm group reference show asdm history [view {all|12h|5d|60m|10m}] [snapshot] [feature {all|blocks|cpu|failover|ids|interface | memory|perfmon|xlates}] [asdmclient] show asdm sessions show asdm log_sessions show running-config asdm [group|location] clear config asdm [location|group] Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(4), 9.2(1) Known Fixed Releases: * 100.11(0.51), 100.12(0.70), 100.12(6.20), 100.13(0.6), 100.13(11.11), 100.13(12.16), 100.13(15.7), 100.13(16.2), 100.13(17.2), 100.13(18.1) Alert Type: Updated * Bug Id: CSCuq65201 Title: ASA Local CA generates unexpected renewal reminder message Status: Fixed Severity: 3 Moderate Description: Symptom: - ASA is woking as a Local CA After a few days passed, the following logs are generated for all users even if the users certificates does not reach the time nearly expired. ----- %ASA-6-717043: Local CA Server certificate enrollment related info for user: testuser1. Info: Generated a certificate renewal reminder for user. %ASA-6-717043: Local CA Server certificate enrollment related info for user: testuser2. Info: Generated a certificate renewal reminder for user. %ASA-6-717043: Local CA Server certificate enrollment related info for user: testuser3. Info: Generated a certificate renewal reminder for user. %ASA-6-717043: Local CA Server certificate enrollment related info for user: testuser4. Info: Generated a certificate renewal reminder for user. . . . ----- Conditions: - Confirmed on ASA Version 9.1(2) / 9.0(3) - ASA is working as a Local CA Workaround: none at the moment Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(3), 9.1(2) Known Fixed Releases: * 100.11(0.48), 100.12(0.56), 100.12(6.11), 100.13(0.4), 100.13(11.4), 100.13(12.8), 100.13(13.1), 100.13(14.3), 100.13(15.4), 100.13(16.1) Alert Type: Updated * Bug Id: CSCuw32125 Title: ASA stacktrace in vpn client disconnect that had dACL applied Status: Fixed Severity: 3 Moderate Description: Symptom: On the console of an ASA, the following stacktrace is seen. Aug 12 14:54:50 10.0.7.81 %ASA-0-711001: -Traceback: 000000000042A63E 0000000001187B31 00000000011A7195 00000000011A75B3 00000000011AFBDD 00000000011B1738 0000000000531469 0000000000532D1E 0000000000540F86 0000000000531F1F 00000000004286D5 It decodes to the following: Version:arsenal/9.0.4.17 Image Type: asa Executable: smp Symbol File: smp.sort 000000000042A63E 0000000001187B31 00000000011A7195 00000000011A75B3 00000000011AFBDD 00000000011B1738 0000000000531469 0000000000532D1E 0000000000540F86 0000000000531F1F 00000000004286D5 The stack trace decode suggest that it occurs when a client disconnects that had a dACL applied. Conditions: ASA 5580-40 running version asa904-17-smp-k8 Workaround: None Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3), 100.16(1.6) Alert Type: Updated * Bug Id: CSCua32176 Title: IPv6 Complete Packet Fragment Reassembly Check Bypass Status: Fixed Severity: 3 Moderate Description: Symptom: It is possible for a crafted IPv6 packet to bypass the fragment reassembly check of the Cisco Adaptive Security Appliance (ASA). Conditions: Cisco ASA configured for IPv6. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C&version=2.0 CVE ID CVE-2012-5736 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.11(0.63), 100.12(0.143), 100.12(0.146), 100.13(0.100), 100.13(0.95), 100.14(0.71), 100.14(0.73), 100.15(0.24), 100.15(0.26) Alert Type: Updated * Bug Id: CSCuu02635 Title: Remove demo and eval warning for sfr monitor-only Status: Fixed Severity: 3 Moderate Description: Symptom: A warning is produced when configuring the SFR module to monitor-only mode. Example: ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open monitor-only WARNING: Monitor-only mode should be used for demonstrations and evaluations only. This mode prevents SFR from denying or altering traffic. Conditions: This policy map sfr monitor-only mode is supported for production which makes the "should be used for demonstrations and evaluations only" incorrect and confusing. Workaround: None. Ignore the "should be used for demonstrations and evaluations only" portion of the warning. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuo65775 Title: Cisco ASA Information Disclosure Vulnerability Status: Fixed Severity: 3 Moderate Description: Symptom: A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to disclose sensitive data which includes the ASA software version. This information could be used for reconnaissance attacks. The vulnerability is due to insufficient protections of sensitive data before authentication with the AnyConnect client. An attacker could exploit this vulnerability by attempting to authenticate to the device with AnyConnect which could disclose the sensitive information. Conditions: Device running with IKE/WVPN enabled on an interface on an affected version of software using the AnyConnect client. The AnyConnect client can be running any version of software. Workaround: None. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2016-1295 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 27-MAY-2016 Known Affected Releases: 8.4, 9.1, 9.3, 9.4 Known Fixed Releases: * 100.11(0.47), 100.12(0.48), 100.12(6.7), 100.13(0.3), 100.13(11.2), 100.13(12.3), 100.13(13.1), 100.13(14.2), 100.13(15.1), 100.13(16.1) Alert Type: Updated * Bug Id: CSCuy48237 Title: Clientless SSL VPN CIFS stress test: ramfs_webvpn_file_open traceback Status: Fixed Severity: 3 Moderate Description: Symptom: ASA Clientless SSL VPN CIFS stress test may cause ramfs_webvpn_file_open traceback. Conditions: Clientless SSL VPN and CIFS operations (add,delete,rename files and folders) . Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.4(2.101) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 100.8(40.119), 9.2(4.11), 9.4(3.1), 96.2(0.17), 96.2(11.14), 97.1(0.15), 97.1(1.36), 97.1(3.8) Alert Type: Updated * Bug Id: CSCuz58142 Title: ASA Access-list missing and losing elements Warning Message enhancement Status: Fixed Severity: 3 Moderate Description: Symptom: After pushing a configuration change tmatch compile continues to run and the number of elements in the ACL will fall and not all elements will be loaded. Conditions: ASA running 9.1.7 with new ACL configuration applied. Workaround: none Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.2(4.11), 96.2(0.30), 96.2(11.16), 97.1(0.17), 97.1(1.42), 97.1(3.8), 97.1(9.1) Alert Type: Updated * Bug Id: CSCuu16983 Title: ASA: failover logging messages appear in user context Status: Fixed Severity: 3 Moderate Description: Symptom: Failover syslog messages should appear in the admin context, but they appear in user context. Conditions: ASA in multi-context mode. Workaround: Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(5.19), 9.2(2.8) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuz58666 Title: ENH: Cryptic ERROR when configuring capture with access-list Status: Open Severity: * 4 Minor Description: * Symptom: Receive cryptic error when configuring capture with access-list Conditions: Configure capture referencing ACL that does not have the specific IP version in the ACL (e.g. access-list capture permit ip any any) Workaround: Create access-list like below: (e.g. access-list capture permit ip any4 any4) Further Problem Description: Last Modified: 10-MAY-2016 Known Affected Releases: 8.4(6), 9.7(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur60060 Title: ASA: Incorrect warning displayed on configuring syslog server Status: Open Severity: 4 Minor Description: * Symptom: ASA prints folllowing error incorrectly even when the route is correct: WARNING: configured logging host interface conflicts with route table entry Conditions: This is seen on configuring a new syslog server or removing an existing one. Workaround: This is cosmetic. Command still takes effect. Further Problem Description: Last Modified: 11-MAY-2016 Known Affected Releases: 9.3(1.80) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz41009 Title: False system memory usage syslog alerts! Status: Other Severity: * 4 Minor Description: * Symptom:%ASA-2-321006: System Memory usage reached 189% Conditions:Workaround:No work around, just disable the syslog temporarily Last Modified: 14-MAY-2016 Known Affected Releases: 9.5(2), 9.5(2.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv96380 Title: Failover uptime sync failure Status: Fixed Severity: 4 Minor Description: Symptom: ASAs running in Failover, Failover up time doesn't sync up to match on both the ASAs. Conditions: ASAs in failover with huge number of contexts in a multicontext setup.(108 context in my setup) Workaround: N/A Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(4), 9.1(4.5), 9.1(6) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.77), 100.15(0.36), 100.15(17.12), 100.15(3.61), 100.15(8.15), 100.16(0.2), 100.16(1.2) Alert Type: Updated * Bug Id: CSCua66518 Title: Help arp SYNTAX section misses "permit-nonconnected" entry Status: Fixed Severity: 4 Minor Description: Symptom: Help arp misses permit-nonconnected entry in SYNTAX section. Conditions: Workaround: Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.4(4), 8.4(4.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.13(0.121), 100.14(0.83), 100.14(0.84), 100.15(0.87), 100.15(0.90), 100.15(20.17), 100.15(20.18) Alert Type: Updated * Bug Id: CSCuv93976 Title: NTP: Standby ASA sends NTP with source 0.0.0.0 if standby ip not set Status: Fixed Severity: 4 Minor Description: Symptom: A standby ASA in a failover pair may send NTP packets with a source IP of 0.0.0.0 if the interface those packets would normally leave from does not have a standby ip configured. Conditions: This is seen in failover deployments where the NTP server facing interfaces does not have a standby IP in its configuration. Workaround: Configure the standby ip address for that interface. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.4(2.99), 9.4(3), 9.6(0.99), 9.6(1) Alert Type: Updated * Bug Id: CSCur42057 Title: Smart Licensing: License config warning needs message classification Status: Fixed Severity: 4 Minor Description: Symptom: Incomplete smart licensing config will be reported as an error by ASDM. Conditions: User configures only one part of smart licensing. There are two parts: feature tier and throughput. If the user specifies only one and then exits, the message that is displayed will be interpreted as an error by ASDM. Workaround: Configure both parts of smart licensing before exiting smart licensing config. Further Problem Description: This should be displayed as a warning by ASDM. The code should be modified to prepend "WARNING:" so that ASDM properly displays it as a warning. Last Modified: 16-MAY-2016 Known Affected Releases: 100.12(6.24) Known Fixed Releases: * 100.16(0.20), 9.6(0.99), 9.6(1), 96.1(1.56), 96.2(1.107) Alert Type: Updated * Bug Id: CSCua71298 Title: Help arp in context shows arp permit-nonconnected Status: Fixed Severity: 4 Minor Description: Symptom: Help arp in admin and user contexts shows arp permit-nonconnected entry, which is only available in system context. Conditions: Workaround: Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.114), 100.14(0.79), 100.15(0.56), 100.15(17.24), 100.15(3.77), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCua71394 Title: ARP debug messages output raw milliseconds values Status: Fixed Severity: 4 Minor Description: Symptom: ARP debug messages output raw millisecond counts, which don't make much sense for users. Conditions: Workaround: Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.96), 100.15(20.23), 100.16(0.11), 100.16(1.53), 100.16(14.1), 100.16(15.7) Alert Type: Updated * Bug Id: CSCur80711 Title: dhcprelay enabled interface pops memory message when address is assigned Status: Fixed Severity: 4 Minor Description: Symptom: dhcprelay enable interface when enabled pops memory message "No memory for DHCP interface '' Conditions: ASA in multicontext mode. Workaround: None, but this is a benign message Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(40.114), 9.4(2.99), 9.4(3), 9.6(0.99), 9.6(1), 96.1(1.66) Alert Type: Updated * Bug Id: CSCuy65572 Title: Coverity 114171: SECURE_CODING in aaai_append_attr_table_ext Status: Other Severity: 4 Minor Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 18-MAY-2016 Known Affected Releases: * 100.11(0.71), 100.13(0.132), 100.15(0.111), 100.8(40.119), 96.1(1.83), 96.2(1.147), 97.1(1.5) Known Fixed Releases: Alert Type: New Bug Id: CSCuz73580 Title: Data structure error--attempt to remove an unthreaded node from a tree Status: Open Severity: 4 Minor Description: Symptom: ASA running 9.1(7) will start showing alerts in the logging file as the following : %ASA-1-111111: Data structure error--attempt to remove an unthreaded node from a tree Conditions: ASA running version 9.1.7 Workaround: NA Further Problem Description: NA Last Modified: 20-MAY-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz11171 Title: 'show service-policy inspect gtp pdp-context imsi' does not work Status: Fixed Severity: 4 Minor Description: Symptom: The 'show service-policy inspect gtp pdp-context imsi' command does not display any pdp-contexts. Conditions: Workaround: Filter imsi by issuing the command 'show service-policy inspect gtp pdp-context detail | inc IMSI ', although this would only give a partial output. Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.15(0.118), 96.2(0.26), 96.2(11.16), 97.1(0.16), 97.1(1.39), 97.1(3.8), 97.1(9.1) Alert Type: Updated * Bug Id: CSCuq71796 Title: Webvpn Logon Form Title alignment issue w/ strings {>20 character} Status: Fixed Severity: 4 Minor Description: Symptom: Table Alignment issues noticed if Logon Form Title customized to a string bigger than ~20 character. Customization: Logon Page -> Logon Form -> Title Conditions: ** Clientless webvpn should be enabled ** Customized Title should be big enough to cause table disorientation Workaround: Advanced Portal Customization would help resolve the issue Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.1(5), 9.2 Known Fixed Releases: * 100.11(0.49), 100.12(0.57), 100.13(0.4), 100.13(11.6), 100.13(12.10), 100.13(13.1), 100.13(14.3), 100.13(15.4), 100.13(16.1), 100.13(17.1) Alert Type: Updated * Bug Id: CSCuy83486 Title: caller_pc in malloc_header should record the caller of calloc Status: Fixed Severity: 4 Minor Description: Symptom: Due to changes in ASA's memory mangement in 9.3.2 and forward, when an application/feature on ASA uses calloc to allocate memory, calloc is recorded as the allocator of the memory instead of the caller of calloc function Conditions: calloc is used to allocate memory Workaround: Use memory caller-address feature to find out caller of calloc. For more information see https://techzone.cisco.com/t5/ASA-Firewall/Function-quot-calloc-quot-seen-allocating-memory-in-ASA-versions/ta-p/911422 Further Problem Description: This is benign; it does not impact functionality. For more information see https://techzone.cisco.com/t5/ASA-Firewall/Function-quot-calloc-quot-seen-allocating-memory-in-ASA-versions/ta-p/911422 Last Modified: 28-MAY-2016 Known Affected Releases: 9.3(3), 96.2(1.155) Known Fixed Releases: * 96.2(0.36), 97.1(0.18), 97.1(1.47) Alert Type: Updated * Bug Id: CSCuz19421 Title: ENH: ASA - Ability to suppress NAT warning console messages during boot Status: * Fixed Severity: * 4 Minor Description: Symptom: Enhancement request to add the ability to suppress NAT warning messages which are shown on the console during boot up. Conditions: Rebooting the ASA which displays a lot of warning messages could cause delays before the ASA is completely up. Workaround: none Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz33066 Title: ASA IETF NSF: Opaque LSA IP Address is displayed in reverse order Status: Fixed Severity: 5 Cosmetic Description: Symptom: Command 'show ospf 1 database opaque-link' displays IP address field with octets in reverse order. Conditions: This issue was first found in version 9.5(2.6). Other versions are likely affected as well. The ASA runs in failover with IETF NSF enabled. Workaround: This is a cosmetic issue. Further Problem Description: Last Modified: 24-MAY-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.5(2.216), 96.2(0.34), 96.2(11.17), 97.1(0.17), 97.1(1.44), 97.1(3.8), 97.1(9.3) Alert Type: Updated * Bug Id: CSCuz85887 Title: CLI context help incorrectly calls TG a group policy Status: Open Severity: 5 Cosmetic Description: * Symptom: ASA incorrectly refers to tunnel group as group policy: asa1(config)# tunnel-group test-atbasu ? configure mode commands/options: type Enter the type of this group-policy Conditions: using context sensitive help when configuring a tunnel group for the first time. Workaround: n/a Further Problem Description: Last Modified: 28-MAY-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy36536 Title: Transparent Firewall: Need ability to switch 802.2 LLC with DSAP 0xe8 Status: Fixed Severity: 6 Enhancement Description: Symptom: Packets with 802.2 LLC header with most LSAP are not able to traverse firewall through transparent mode. Conditions: Transparent Firewall Mode. Generic 802.2 LLC packet Workaround: None Further Problem Description: Last Modified: 09-MAY-2016 Known Affected Releases: EVERCLEAR Known Fixed Releases: * 96.2(0.1), 96.2(0.12), 96.2(1.145), 96.2(11.1), 96.2(11.13), 97.1(0.14), 97.1(0.7), 97.1(1.32), 97.1(1.9), 97.1(2.6) Alert Type: Updated * Bug Id: CSCtj93072 Title: BotNet filter might drop all DNS for some ISPs Status: Terminated Severity: 6 Enhancement Description: * Symptom: The Cisco ASA botnet filtering feature might cause network instability due to DNS under certain conditions. Conditions: Cisco ASA with the botnet filtering feature enabled. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:W/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 12-MAY-2016 Known Affected Releases: 8.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtj89313 Title: BTF issues with Bot stats and dns snoop bindings Status: Terminated Severity: 6 Enhancement Description: * Symptom: A bot spoofing its source ip address talking to its bot maste can make any legit internal host look like an infected host caught by the botnet filter. Additionally, the feature might report improper information under certain conditions. Conditions: Cisco ASA configured for Botnet Filtering. Workaround: Not available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:W/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 12-MAY-2016 Known Affected Releases: 8.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtw73597 Title: BTF: Improve 'dynamic-filter drop' parser logic to prevent unwanted cfg Status: Terminated Severity: 6 Enhancement Description: * Symptom: When configuring botnet filtering on the ASA platform, having multiple ''dynamic-filter drop blacklist'' command may produce unexpected results. The code is behaving such that only the first ''dynamic-filter drop blacklist'' config line is used and subsequent are ignored. For example: For example, the following will ONLY block 'very-high' threat-levels and *NOT* 'high': dynamic-filter drop blacklist threat-level eq very-high dynamic-filter drop blacklist threat-level eq high For example, the following will ONLY block 'high' threat-levels and *NOT* 'very-high': dynamic-filter drop blacklist threat-level eq high dynamic-filter drop blacklist threat-level eq very-high Conditions: This is seen with multiple ''dynamic-filter drop blacklist'' configuration commands. Workaround: Consolidate the multiple commands into a single command using the 'range' option. dynamic-filter drop blacklist threat-level eq high dynamic-filter drop blacklist threat-level eq very-high becomes: dynamic-filter drop blacklist threat-level range high very-high PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 12-MAY-2016 Known Affected Releases: 8.4(2.18) Known Fixed Releases: Alert Type: New Bug Id: CSCuz65595 Title: ENH: CLI for OSPF convergence time Status: Open Severity: 6 Enhancement Description: Symptom: The OSPF convergence timer is 70 seconds ASA CLI should provide possibility to reconfigure above time Conditions: ASA failover pair. ASA is configured with OSPF Workaround: NONE Further Problem Description: Last Modified: 13-MAY-2016 Known Affected Releases: 9.3, 9.4, 9.5 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtg38746 Title: Knob to allow h.225 traffic before h.225 setup Status: Open Severity: 6 Enhancement Description: Symptom: Phones fail when sending h.225 traffic before h.225 setup message Conditions: Phone sending h.225 before h.225 setup h.323 inspection enabled on ASA Syslog %ASA-4-405104: H225 message INFORMATION received from 10.122.42.221/496 to 10.11.185.8/47110 before SETUP will be trggered. Workaround: Disable inspection and open all neccessary ports to allow traffic. Last Modified: 16-MAY-2016 Known Affected Releases: 8.2 Known Fixed Releases: * 100.16(1.49), 100.16(14.1), 100.16(15.7), 9.6(0.99), 9.6(1), 96.1(1.5), 96.1(1.57), 96.1(6.1), 96.2(0.1), 96.2(1.104) Alert Type: Updated * Bug Id: CSCux46195 Title: Hyperlite Support for SD Card Status: Fixed Severity: 6 Enhancement Description: Symptom: SD Card Play and Play would not work. SD card plag and play would work fine in all other devices with HW Version greater or equal to 2.1 Conditions: Cisco SKU (ISA3000-4C, ISA3000-2C2F) with HW Version less than 2.1 as seen in output "show modules". Workaround: None. Box needs to be RMA-ed so that SD card Microcontroller firmware can be upgraded. Further Problem Description: Last Modified: 17-MAY-2016 Known Affected Releases: 100.15(21.12) Known Fixed Releases: * 9.6(0.99), 9.6(1), 96.1(1.28), 96.1(1.57), 96.1(5.2), 96.1(5.3), 96.2(1.107) Alert Type: Updated * Bug Id: CSCuv50747 Title: ENH: HTTP redirect support for IPV6 Status: Fixed Severity: 6 Enhancement Description: Symptom: We see the logs below when we try to access ASA outside interface over IPV6 on port 80: %ASA-7-710005: TCP request discarded from 1eee::f49a:c93c:38d9:d034/50771 to outside:1eee::1/80 %ASA-3-710003: TCP access denied by ACL from 1eee::f49a:c93c:38d9:d034/50772 to outside:1eee::1/80 ciscoasa# sh asp table socket Protocol Socket State Local Address Foreign Address SSL 0023fff8 LISTEN 123.123.123.1:443 0.0.0.0:* SSL 007801a8 LISTEN 10.106.45.221:443 0.0.0.0:* SSL 004ffff8 LISTEN [1eee::1]:443 [::]:* DTLS 004003d8 LISTEN [1eee::1]:443 [::]:* DTLS 004004c8 LISTEN 10.106.45.221:443 0.0.0.0:* TCP 009003d8 LISTEN 10.106.45.221:80 0.0.0.0:* ============ > listen on port 80 for ipv4 but similar entry for ipv6 is missing. Conditions: The command: http redirect outside 80 is present Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.65), 100.12(0.155), 100.13(0.121), 100.15(0.102), 100.16(0.13), 100.16(1.70), 100.16(14.1), 100.8(40.108), 9.1(6.108), 9.1(7) Alert Type: Updated * Bug Id: CSCuu35854 Title: The engine ID goes out of sync during upgrade of the ASA Status: Fixed Severity: 6 Enhancement Description: Symptom: The SNMP stops working for a FO pair when doing a zero-downtime upgrade. The engine-ID of the ASAs goes out of sync causing the SNMP to fail. Conditions: Zero-downtime upgrade being performed on an ASA FO pair. Workaround: None known. Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.62), 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(0.99), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37) Alert Type: Updated * Bug Id: CSCus85257 Title: ASA Connector - Provide Higher Layer Health Checks for CWS Tower Status: Fixed Severity: 6 Enhancement Description: Symptom: The ASA may not failover to the backup CWS tower when the CWS tower is in a degraded state but remains responsive to ASA TCP health checks. This may cause traffic interruption in the network environment when the ASA continues to redirect web traffic to the degraded tower. This is an enhancement request to provide more granular health checking between the ASA and the CWS tower. Conditions: This can occur if the CWS tower is degraded (not down) but is still able to complete the 3-way TCP handshake with the CWS tower. Workaround: Manually point the ASA to the backup CWS tower Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.128), 100.15(0.112), 9.2(3.160), 9.2(3.161), 9.2(4.6), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCtw80509 Title: add "show resource usage summary count all 1" to show tech Status: Fixed Severity: 6 Enhancement Description: Symptom: Add "show resource usage summary count all 1" to the show tech. Conditions: This is a request to add "show resource usage summary count all 0" to the show tech output so more information regarding xlates, conns, inspects, syslogs, etc can be evaluated as part of the show tech snapshot. This information would also be helpful in diagnosing performance issues and would be useful to have as part of the show tech portion of the show crashinfo. Workaround: None Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 8.2 Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCur30827 Title: Placeholder to commit CLNS compiled files Status: Fixed Severity: 6 Enhancement Description: Symptom: Placeholder to commit CLNS compiled files Conditions: Workaround: Further Problem Description: Last Modified: 16-MAY-2016 Known Affected Releases: 9.0 Known Fixed Releases: * 100.15(11.1), 100.16(1.8), 100.16(12.1), 9.6(0.99), 9.6(1), 96.1(1.29), 96.1(1.57), 96.2(0.1), 96.2(1.107) Alert Type: Updated * Bug Id: CSCuc23836 Title: WebVPN Cookies Should Have HTTPOnly Flag Set Status: Terminated Severity: 6 Enhancement Description: * Symptom: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Cisco ASA configured for SSL VPN. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.2/1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 19-MAY-2016 Known Affected Releases: 100.12(10.47), 8.0(4.23), 8.4, 8.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCua37902 Title: Some syslogs lost when using TCP based syslogging Status: Open Severity: 6 Enhancement Description: Symptom: If TCP syslogging is configured on the ASA, not all messages are sent to the syslog server if there is sufficient load as well as some connectivity issues between the ASA and the Syslog Server. Conditions: The issue is seen only when using TCP based syslogging and a high rate of syslogs. Workaround: Use UDP syslogging instead of TCP syslogging. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 20-MAY-2016 Known Affected Releases: 8.4, 8.4(3), 8.4(3.130), 9.1(5) Known Fixed Releases: * 100.16(1.75), 100.16(1.81), 100.16(14.1), 9.1(2.220), 9.1(6.170), 96.1(6.1), 96.1(6.7), 96.2(0.1), 96.2(1.178), 96.2(11.8) Alert Type: New Bug Id: CSCuz75240 Title: ASA Syslog : Syslog when 80% of Security Contexts have been used Status: Open Severity: 6 Enhancement Description: Symptom: No indication to customers that the limit of countable licenses is about to be reached Conditions: Workaround: None Further Problem Description: Last Modified: 20-MAY-2016 Known Affected Releases: 9.0(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCub38411 Title: Password Storage Best Practice Violations Status: Fixed Severity: 6 Enhancement Description: Symptom: This is an enhancement request to improve the way passwords are stored and salted on the Cisco ASA. Conditions: Default configuration Workaround: None PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.8/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:H/Au:S/C:C/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 7.0(1), 8.4 Known Fixed Releases: * 97.1(1.38), 97.1(3.8) Alert Type: Updated * Bug Id: CSCux03842 Title: Implement SAML support Phase 2 Status: Fixed Severity: 6 Enhancement Description: Symptom: * Clientless WebVPN can not use SAML Identity Provider for authentication if it is in a private network. Conditions: Workaround: none Further Problem Description: Last Modified: 21-MAY-2016 Known Affected Releases: 100.16(11) Known Fixed Releases: * 100.16(1.36), 100.16(14.1), 100.16(15.1), 100.16(15.5), 100.16(6.1), 96.2(0.1), 97.1(1.33), 97.1(3.8), 97.1(5.1) Alert Type: Updated * Bug Id: CSCtd70269 Title: ENH: Support 'sysopt connection reclassify-vpn' for EzVPN NEM also Status: Terminated Severity: 6 Enhancement Description: * Symptom: This is a enhancement request. Currently, 'sysopt connection reclassify-vpn' command is only supported for static or dynamic vpn tunnels, and does not support EzVPN. The enhacement request is to support the command for EzVPN NEM (network extension) mode, so that when EzVPN NEM tunnels come up, any clear flows will be reclassified to go over the VPN tunnel. Conditions: Workaround: Use "match address" command in the dynamic to include all remote subnets. The remote subnets can be summarized. For example: access-list myvpn permit ip 10.0.0.0 255.0.0.0 This would include all remote network subnets that are part of 10.0.0.0 network. Example: crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10000 match address myvpn crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10000 set transform-set myset crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set myset Here the first dynamic map sequence is to match the remote ezvpn new subnets and the second one is to use as a fallback for other clients or dynamic VPNs that dont match the 10000 sequence numbered dynamic crypto map Further Problem Description: Last Modified: 24-MAY-2016 Known Affected Releases: 8.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCul90037 Title: ASA5585 Power supply entries needs to be updated in ENTITY-MIB Status: Open Severity: * 6 Enhancement Description: Symptom: While removing/inserting a power supply in an ASA 5585 device, the power supply entries are not updated in the ENTITY-MIB properly. Would like behavior to mimic other Cisco products which use containers. Conditions: Cisco ASA 5585-X platform running 8.2.4 or later with SNMP enabled. Workaround: None. Further Problem Description: The ASA 5585 has been designed to support field replaceable, hot swappable power supplies. In the event of a power supply failure, an SNMP trap is sent from the ASA to the configured trap receiver. When power is restored, the ASA does not send an additional SNMP trap. Note, when using Cisco Prime Network to monitor ASA 5585's, the Network operator is required to manually clear a power supply fault condition within the EMS. Last Modified: 25-MAY-2016 Known Affected Releases: 8.2(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz77275 Title: ENH: Add more granular config options for "privilege" option Status: Open Severity: 6 Enhancement Description: * Symptom: Need to have more granular options in regards to privilege level. "If you wanted to give permissions to level 5 to only be able to copy a capture off the ASA, but not allow the user with the same permission to copy anything else off flash" Conditions: Using privilege levels on ASA platform to specify which users can do. Wanting to provide granular access to certain commands, while not allowing other options. Workaround: Configure RADIUS/TACACS server to have more granular control over permission. Further Problem Description: Last Modified: 26-MAY-2016 Known Affected Releases: 8.6(1), 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux70812 Title: Add Asynchronous support for DHCP proxy Status: Fixed Severity: 6 Enhancement Description: Symptom: ASA DHCP proxy server operations (i.e. DHCP address assignment for VPN Clients) run in synchronous mode, handling only one request at a time. In some cases this may cause DHCP-address assignment delays or inefficiency in handing out of IP addresses. Conditions: ASA DHCP Proxy operations , such as assigning IP addresses to VPN Clients. Workaround: None. Further Problem Description: Last Modified: 27-MAY-2016 Known Affected Releases: 9.0(1) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 100.8(40.119), 9.1(7.160), 9.1(7.5), 9.2(4.11), 9.4(3.1), 96.2(0.19), 96.2(11.15), 97.1(0.15) Alert Type: Updated * Bug Id: CSCth40232 Title: ASA IKE "debug menu ike" command available for customer use Status: Fixed Severity: 6 Enhancement Description: Symptom: There is no customer available Admission control mechanism. For this purpose, we can use "debug menu ike 28" command but it is not documented and not persistent across reloads. Conditions: Need to create an admission control ratio to avoid cpu overload. Workaround: use the command "debug menu ike 28 [args]" Last Modified: 30-MAY-2016 Known Affected Releases: * 7.2(4.20), 8.0(4), 8.4(3) Known Fixed Releases: 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.5), 100.9(0.12), 100.9(4.1), 9.0(2.100), 9.0(3), 9.2(0.99) Alert Type: Updated * Bug Id: CSCuy28710 Title: ARP source IP sanity check against proxy-arp list Status: Open Severity: 6 Enhancement Description: * Symptom: ASA rejects an ARP packet if the sender IP overlaps with a subnet/host for which ASA is configured to do proxy-arp. Conditions: By default, ASA does proxy-arp for all hosts which are part of a translated network in a static NAT rule. This defect may cause resolution failures if the a directly connected subnet of ASA overlaps with a network for which ASA is configured to proxy ARP. To identify this, the output of "show nat proxy-arp" can be leveraged. Example: ciscoasa(config)# sh nat proxy-arp Nat Proxy-arp Table id=0x6f0dfff8, ip/id=192.168.0.0, mask=255.255.0.0 ifc=outside config:(inside) to (outside) source static local local destination static remote remote ... If the directly connected subnet on outside interface overlaps with the network in an entry with ifc=outside, ARP resolution failures will occur. Workaround: If the NAT rule is identity, add the no-proxy-arp keyword. For non-identity NAT rules, the rule needs to be made more specific to exclude directly connected subnets. Further Problem Description: Last Modified: 31-MAY-2016 Known Affected Releases: 9.1(7), 9.2(4.3), 9.4(2.104), 9.4(2.5) Known Fixed Releases: 9.1(7.2), 9.2(4.7), 9.4(2.108), 9.4(2.7), 9.4(3) Find additional information in Bug Search index.   2015 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks