Cisco Notification Alert -ASA 5500 Series NG Firewall-04-Jul-2016 05:39 GMT

Feedback Sign Up Unsubscribe         Security Advisories & Responses - ASA 5500-X Series Firewalls Title: Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability Description: A vulnerability in the IP Version 6 (IPv6) packet processing functions of multiple Cisco products could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device. The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device. This vulnerability is not Cisco specific: any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability. Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6 Date: 01-JUL-2016 Find additional information in Cisco Security Advisories & Responses Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Interim Alert Type: New File File Name: asa943-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Interim Alert Type: New File File Name: asa943-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-JUN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Interim Alert Type: New File File Name: asa943-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-JUN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Interim Alert Type: New File File Name: asa943-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Interim Alert Type: New File File Name: asa943-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-JUN-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.6.1 Interim Alert Type: New File File Name: asa961-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-13-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 27-JUN-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Interim Alert Type: New File File Name: asa943-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 15-JUN-2016 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Firewalls Alert Type: Updated * Bug Id: CSCuy27428 Title: ASA traceback in thread name snmp after upgrade to 9.1(7) Status: Fixed Severity: 1 Catastrophic Description: Symptom: The ASA could traceback and reload in thread name snmp. The problem has been observed on ASAs running version 9.1(7) but could affect other versions as well. Conditions: To encounter this problem, all of the following conditions must be true: 1. The ASA must be configured to permit SNMP polling 2. A SNMP server must poll for a specific MIB: CISCO-ENHANCED-MEMPOOL (OID : 1.3.6.1.4.1.9.9.221) 3. There is a policy on SNMP Manager that makes poll only few pre-programmmed OIDs from the CISCO-ENHANCED-MEMPOOL MIB instead of complete walk. Workaround: 1. If you have a policy on SNMP Manager that makes it poll only some specific OIDs from the CISCO-ENHANCED-MEMPOOL MIB instead of a complete walk, remove the policy. Further Problem Description: This issue is under active investigation Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(7), 9.6(0.102) Known Fixed Releases: * 9.1(7.1), 9.1(7.2), 9.6(0.105), 9.6(1.99), 96.1(1.78), 96.2(1.131), 97.1(0.1) Alert Type: Updated * Bug Id: CSCuo58411 Title: ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5) Status: Fixed Severity: 1 Catastrophic Description: * Symptom: -ASA stops passing IKEv2 packets for certain identities. -ASA prints "Duplicate entry in tunnel manager", while "debug menu ike-common 1" shows stale IKEv2 entries. -"debug menu ike-common 1" reveals IKEv2 identities that are very old (stale) Conditions: -ASA is running 9.1.5 or later -ASA is configured for IKEv2 L2L Update: The problem can be observed also on 9.0.x train. Workaround: Issue "debug menu ike-common 10" to remove the stale IKEv2 entries (this will delete all current IKEv2 connections) Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: 100.11(0.21), 100.11(6.1), 100.12(12.1), 100.12(13.6), 100.12(15.2), 100.12(2.10), 100.12(8.11), 100.8(40.78), 9.1(5.13), 9.2(2.1) Alert Type: Updated * Bug Id: CSCuh19234 Title: Traceback after upgrade from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3) Status: Fixed Severity: 1 Catastrophic Description: * Symptom: Crash happens during upgrade migration from pre-8.3 to 8.4(6), 9.1(2) or 9.0(3). Causing bootloop. Conditions: ASA with version pre-8.3 Workaround: Manual migration of the config Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 8.4(6), 9.0(3), 9.1(2) Known Fixed Releases: 100.10(0.6), 100.7(6.119), 100.8(27.84), 100.8(38.19), 100.8(40.8), 100.8(41.2), 100.8(60.21), 100.9(0.51), 100.9(10.1), 100.9(6.28) Alert Type: New Bug Id: CSCva31378 Title: ASA crash at Thread Name: rtcli async executor process Status: Open Severity: 1 Catastrophic Description: Symptom: ASA may crash at Thread Name: rtcli async executor process Conditions: ASA is configured with webvpn Workaround: - Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.4(2), 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz54545 Title: ASA Address not mapped traceback - configuring snmp-server host Status: Fixed Severity: 2 Severe Description: Symptom: ASA mat present an "Address Not Mapped" crash when configuring "snmp-server host" statements on the ASA. In the original case this crash was faced when customer was configuring a set of 15 SNMP Hosts on the ASA, such as: snmp-server host inside x.y.252.227 poll community ***** snmp-server host inside x.y.252.228 poll community ***** snmp-server host inside x.y.252.229 poll community ***** snmp-server host inside x.y.252.230 poll community ***** snmp-server host inside x.y.252.231 poll community ***** snmp-server host inside x.y.252.232 poll community ***** snmp-server host inside x.y.252.233 poll community ***** snmp-server host inside x.y.252.234 poll community ***** snmp-server host inside x.y.252.235 poll community ***** snmp-server host inside x.y.252.236 poll community ***** snmp-server host inside x.y.252.237 poll community ***** snmp-server host inside x.y.252.238 poll community ***** snmp-server host inside x.y.252.239 poll community ***** snmp-server host inside y.z.5.246 poll community ***** snmp-server host inside x.y.166.56 poll community ***** Conditions: > ASA running code 9.4.2.6 > Several snmp-server host being configured on the ASA Workaround: None. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.4(2.6) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.4(3.1), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.26), 96.2(11.16), 97.1(0.16), 97.1(1.39) Alert Type: Updated * Bug Id: CSCva27941 Title: * ASA: Page fault traceback in DATAPATH thread Status: Open Severity: 2 Severe Description: * Symptom: ASA crashed in datapath Conditions: ASA was running on 9.5.2 (10) Workaround: Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(2.10) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz09255 Title: ASA does not respond to NS in Active/Active HA Status: Open Severity: 2 Severe Description: * Symptom: Hosts are able to ping6 through the ASA failover pair when a certain context is active, but not when that context becomes active on the other failover unit. Packet captures will show a flood of NS messages, but no NAs coming back from the ASA. Conditions: -Observed on ASA 5585-X and 5555-X hardware -Found to affect at least versions 9.2.4 and 9.5.2 -HA (Failover) configuration -Active/Active (i.e., failover with multiple security contexts and failover groups) -Static one-to-one NAT configured between two IPv6 subnets on the ASA Workaround: -Configure IPv4 instead of IPv6 for at least one of the subnets and use the net-to-net argument (per the following documentation: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html#pgfId-1778544) to create a NAT46 design. -In case of a failover event, clear the neighbor cache on the newly active context(s) so that it initiates an unsolicited NS destined to the relevant multicast address. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.2(4), 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy28710 Title: ARP source IP sanity check against proxy-arp list Status: Fixed Severity: 2 Severe Description: Symptom: ASA rejects an ARP packet if the sender IP overlaps with a subnet/host for which ASA is configured to do proxy-arp. Conditions: By default, ASA does proxy-arp for all hosts which are part of a translated network in a static NAT rule. This defect may cause resolution failures if the a directly connected subnet of ASA overlaps with a network for which ASA is configured to proxy ARP. To identify this, the output of "show nat proxy-arp" can be leveraged. Example: ciscoasa(config)# sh nat proxy-arp Nat Proxy-arp Table id=0x6f0dfff8, ip/id=192.168.0.0, mask=255.255.0.0 ifc=outside config:(inside) to (outside) source static local local destination static remote remote ... If the directly connected subnet on outside interface overlaps with the network in an entry with ifc=outside, ARP resolution failures will occur. Workaround: If the NAT rule is identity, add the no-proxy-arp keyword. For non-identity NAT rules, the rule needs to be made more specific to exclude directly connected subnets. Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.1(7), 9.2(4.3), 9.4(2.104), 9.4(2.5) Known Fixed Releases: * 100.13(0.143), 100.8(40.122), 9.1(7.2), 9.1(7.7), 9.2(4.7), 9.4(2.108), 9.4(2.7), 9.4(3) Alert Type: Updated * Bug Id: CSCuz98220 Title: ASA traceback with Thread Name: Dispatch Unit Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashed with Thread Name: Dispatch Unit Conditions: Webvpn configured on ASA Workaround: Disable webvpn ( might not be feasible ) OR Disable DH based algorithms on the ASA using the command "ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1" Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.1(5), 9.1(6.6), 9.1(7.6) Known Fixed Releases: * 100.13(0.142), 100.15(0.123), 100.8(40.122), 9.1(7.7), 9.6(1.99), 96.2(0.60), 97.1(0.22), 97.1(1.66), 97.1(2.47), 97.1(6.6) Alert Type: Updated * Bug Id: CSCva03982 Title: ASA : Mem leak in cluster mode due to PBR lookup Status: Fixed Severity: 2 Severe Description: Symptom: - Memory usage, on one ASA, increases over a period of days. The other unit's memory usage is normal. - Problematic ASA will eventually reload itself once memory usage reaches maximum of 100%. Conditions: 1. ASA is configured in cluster mode with two units in the cluster. Not sure if same behavior will be seen with more than 2 cluster members. 2. Policy Based Routing is applied on an interface. 3. Seen in ASAs running 9.5.2.2 and 9.6.1.3, so far. Workaround: None Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.5(2.2), 9.6(1.3) Known Fixed Releases: * 100.15(0.124), 9.6(1.99), 96.2(0.66), 97.1(0.23), 97.1(1.73), 97.1(2.47), 97.1(6.8), 97.1(7.13), 97.1(9.13) Alert Type: Updated * Bug Id: CSCuz80281 Title: IPv6 neighbor discovery packet processing behavior Status: Fixed Severity: 2 Severe Description: <B>Symptom:</B> A vulnerability in the IP Version 6 (IPv6) packet processing functions of multiple Cisco products could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device. The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device. This vulnerability is not Cisco specific: any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware would be affected by this vulnerability. Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6 <B>Conditions:</B> Exploitation of this vulnerability against Cisco IOS devices may cause high CPU and loss of IPv6 neighborships and IPv6 traffic, as well as loss of some IPv4 traffic that terminates on the vulnerable device. A mitigation ACL limiting IPv6 ND packets to local link and dropping them on the edge can help protect the infrastructure. The following ACL is an *example* of a access list that can be used on the edge device to help mitigate potential attacks on the internal infrastructure from the internet: permit icmp neighbor_global_ipv6 your_global_ipv6 nd-ns permit icmp neighbor_global_ipv6 your_global_ipv6 nd-na permit icmp neighbor_global_ipv6 FF02::1:FF00:0/104 nd-ns permit icmp neighbor_global_ipv6 host FF02::1 nd-na permit icmp FE80::/64 any nd-na permit icmp FE80::/64 any nd-ns permit icmp any FE80::/64 nd-na permit icmp any FE80::/64 nd-ns deny icmp any any nd-na log deny icmp any any nd-ns log permit ipv6 any any Customers should keep in mind that the above ACL is not foolproof as the permitted source address can be spoofed. Note: The above ACL only matches on NA and NS neighbor discovery packets. However, if the customers are processing remaining ND messages: RA, RS or Redirects, those should be added to the ACL as well. Additionally, if those are not processed on a device, they can be dropped altogether within the same ACL. <B>Workaround:</B> Forthcoming fixed version will be 9.4.1.12 with an ETA of 07-July-2016 <B>Further Problem Description:</B> PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0 CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 02-JUL-2016 Known Affected Releases: 100.16(15.5), 9.4(1.104), 9.4(2.9), 96.2(0.42) Known Fixed Releases: * 96.2(0.70), 97.1(0.23), 97.1(1.78) Alert Type: Updated * Bug Id: CSCuz61092 Title: Interface health-check failover causes OSPF not to advertise ASA as ABR Status: Fixed Severity: 2 Severe Description: Symptom: OSPF routes for other areas will be missing for a period of 30 minutes after an ASA ifc-monitoring failover. Conditions: Necessary conditions: -ASAs configured for failover -ASAs act as ABRs for OSPF Tested under the following conditions: -ASAs in Multiple Security Context Mode with Active/Standby failure (only one failover group configured) -Observed affecting versions 9.4.2.6 and 9.4.3 -ASAs connect to OSPF peers through ACI fabric Issue occurs only when failover is encountered due to an interface health-check; when failover is triggered by the "(no) failover active" command, OSPF re-converges normally. Workaround: Shudown and then No Shutdown the interfaces participating in OSPF. Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.4(2.6), 9.4(3) Known Fixed Releases: * 100.13(0.143), 100.15(0.124), 9.6(1.99), 96.2(0.66), 97.1(0.23), 97.1(1.73), 97.1(6.8), 97.1(7.13), 97.1(9.13) Alert Type: Updated * Bug Id: CSCup37416 Title: Stale VPN Context entries cause ASA to stop encrypting traffic Status: Fixed Severity: 2 Severe Description: Symptom: ASAs which had a working L2L VPN tunnel suddenly stops encrypting traffic. The ASP table will show duplicate ASP entries and traffic is hitting an ASP entry that is stale and the traffic for particular SA is blackholed. Conditions: ASA5500 running 9.1 or later code with IKEv2 L2L tunnels configured with default IKEv2 rekey configuration supporting both time and data-based rekeys. Workaround: Potential workarounds: 1)Disable data-based rekeying: "crypto map set security-association lifetime kilobytes unlimited" 2) clear crypto ipsec sa inactive Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.1(2.8), 9.1(3), 9.1(5.12), 9.1(6), 9.2(3), 9.5(2) Known Fixed Releases: * 100.13(0.143), 100.15(0.124), 96.2(0.68), 97.1(0.23), 97.1(1.75), 97.1(2.48), 97.1(6.8), 97.1(7.14), 97.1(9.14) Alert Type: Updated * Bug Id: CSCux00686 Title: Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS) Status: Fixed Severity: 2 Severe Description: * Symptom: Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol (SRTP) library (libSRTP), which addresses a denial of service (DoS) vulnerability. Multiple Cisco products incorporate a vulnerable version of the libSRTP library. The vulnerability is in the encryption processing subsystem of libSRTP and could allow an unauthenticated, remote attacker to trigger a DoS condition. The vulnerability is due to improper input validation of certain fields of SRTP packets. An attacker could exploit this vulnerability by sending a crafted SRTP packet designed to trigger the issue to an affected device. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp Conditions: The Cisco ASA has to be configured with the Phone Proxy feature to be vulnerable. The configuration key word to look for is ''phone-proxy''. This vulnerability can result in a system level restart of the device. The Cisco ASA Phone Proxy feature has been deprecated as of release version 9.4.1 released in March 2015. Workaround: None. Further Problem Description: Please refer to the following Cisco ASA document on the phone proxy feature for additional configuration specifics: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/unified_comm_phoneproxy.pdf PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-6360 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 06-JUN-2016 Known Affected Releases: 8.1(0.104) Known Fixed Releases: 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.14), 100.16(1.70), 100.16(14.1), 100.7(6.149), 100.8(40.109), 8.4(7.31) Alert Type: Updated * Bug Id: CSCux01754 Title: ASA Traceback in Thread Name: DATAPATH-0-1329 (rip chunk_malloc) Status: Terminated Severity: 2 Severe Description: * Symptom: ASA 9.2(1) may crash in DATAPATH thread. Conditions: Not known yet. Workaround: None. Further Problem Description: Last Modified: 08-JUN-2016 Known Affected Releases: 9.2(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus63115 Title: ASA drops packet-too-big when icmp inspection is on (traffic thru ASA) Status: Terminated Severity: 2 Severe Description: * Symptom: Client---A---U21----B----U22---4900 M2---C---5506-3-----inside ASA ---D---outside Router(see attached diagram) 1. Lowered mtu between U21 and U22 to 1300. 2. Pinged from the Client to the outside router with mtu of 1200. Packets are not fragmented and ping is successful. Verified with the 'debug icmp trace' command on the ASA, 'show log' on the ASA and captures on the inside and outside interfaces of the ASA that the connection is allowed. 3. Pinged from the Client to the outside router with mtu of 1400. Packets are fragmented and ping fails. Verified with the 'debug icmp trace' command on the ASA, 'show log' on the ASA and captures on the inside and outside interface of the ASA that the ASA drops the packet-too-big icmp packet. Conditions: This happens when the icmp inspection is enabled. If we disable it the packet goes through. Workaround: Disable icmp inspection and use an acl. Further Problem Description: This is not an effective work around as we loose the nat re-writes functionality of the icmp inspection engine and the have to use 'any any' on the acl as it is not predictable which router in the path will send the icmp packet too big. Last Modified: 13-JUN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux36112 Title: PBR: Mem leak in cluster mode due to policy based route Status: Fixed Severity: 2 Severe Description: Symptom: Memory usage on ASA increases over a period of time Conditions: 1. Policy Based Routing is applied on an interface. 2. ASA is configured in cluster mode and there are two or more units in the cluster. Workaround: None Further Problem Description: Last Modified: 13-JUN-2016 Known Affected Releases: * 9.4(1), 9.5(2.2), 9.6(1.3) Known Fixed Releases: 100.13(0.128), 100.15(0.112), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 9.6(1), 96.1(1.63), 96.2(1.116) Alert Type: Updated * Bug Id: CSCux03626 Title: Traceback in thread name: Unicorn Proxy Thread Status: Fixed Severity: 2 Severe Description: Symptom: ASA running code 9.5(1)4 faced a Traceback in Unicorn Proxy Thread. Conditions: Workaround: Further Problem Description: Last Modified: 14-JUN-2016 Known Affected Releases: * 9.4(2), 9.5(1.4) Known Fixed Releases: 100.12(0.156), 100.13(0.127), 100.15(0.112), 9.3(3.171), 9.3(3.8), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 9.6(1) Alert Type: Updated * Bug Id: CSCuy64950 Title: EIGRP routes not replicating from Active to Stanby member of ASA HA pair Status: Terminated Severity: 2 Severe Description: * Symptom: EIGRP routes are not replicating from active to standby Conditions: ASAs running fixed-in images from cisco-sa-20160210-asa-ike PSIRT ASA running in HA active/standby mode ASA running EIGRP Workaround: none at this time Further Problem Description: Last Modified: 15-JUN-2016 Known Affected Releases: 8.4(7.30), 9.5(2.2) Known Fixed Releases: Alert Type: New Bug Id: CSCva10054 Title: ASA ASSERT traceback in DATAPATH due to sctp inspection Status: Open Severity: 2 Severe Description: Symptom: ASA traceback in DATAPATH Conditions: SCTP Traffic flowing through the ASA with the default SCTP config on the ASA ASA running version 9.5.2 and above ( with support for SCTP inspection ) Workaround: Enabled SCTP statebypass using " set connection advanced-options sctp-state-bypass" Further Problem Description: Last Modified: 16-JUN-2016 Known Affected Releases: 9.5(2.10) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux56111 Title: "no ipv6-vpn-addr-assign" CLI not working Status: Fixed Severity: 2 Severe Description: Symptom: When AnyConnect clients connect, they always request both IPv4 and IPv6 addresses even if IPv6 is not configured. A session will fail if the IPAA subsystem doesn't return a response to the request, even though there's no need for the request in the first place if IPv6 is not configured. Conditions: Failure can occur even when "no ipv6-vpn-addr-assign " are set. Workaround: none Further Problem Description: Last Modified: 17-JUN-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.109), 100.16(0.19), 100.8(40.111), 9.0(4.210), 9.1(6.113), 9.1(7), 9.2(4.6) Alert Type: Updated * Bug Id: CSCuj82692 Title: ASA 8.4.7 - Traceback with assertion in thread name Dispatch Unit Status: Fixed Severity: 2 Severe Description: Symptom: Standalone ASA traceback in thread name Dispatch Unit Conditions: ASA version 8.4.7 Workaround: not known Further Problem Description: ASA crashes during propagation of VOIP traffic. If the VOIP inspections are disabled, the crashes are not seen. Last Modified: 20-JUN-2016 Known Affected Releases: * 8.4(6.3), 8.4(7), 9.1(4), 9.1(6), 9.4(1) Known Fixed Releases: 100.10(0.63), 100.10(2.4), 100.10(3.1), 100.10(9.1), 100.7(6.127), 100.8(38.94), 100.8(40.56), 100.9(10.23), 8.4(7.8), 9.0(4.1) Alert Type: Updated * Bug Id: CSCuj47104 Title: EIGRP routes on the active ASA getting deleted after the ASA failover Status: Fixed Severity: 2 Severe Description: * Symptom: EIGRP routes on the active ASA getting deleted after the ASA failover. The ASA running version 9.1.3. The EIGRP routes get deleted after 60-65 seconds of the failover with the following debug message (when 'debug route ha' is configured on the ASA). ROUTE HA: Reconvergence Timer expired, flushing out stale routes. ROUTE HA: Flush Stale Entries from RIB ROUTE HA: delete route to x.x.x.x y.y.z.z ROUTE HA: delete route to a.b.c.d y.y.z.z Conditions: Two ASA's in Active/Standby failover pair running v9.1.3. The router connected to the ASA configured in such a way where both 'ip summary-address' and routers interface subnets are configured in the same classless subnet on the router. E.g.- Command 'ip summary-address eigrp 100 10.100.0.0 255.255.0.0' and 'ip summary-address eigrp 100 10.102.0.0 255.255.0.0'configured on the router, when the router is already configured with interfaces in subnet 10.100.255.x/29 and 10.102.255.x/29. After the fail-over from an ASA to the other ASA, EIGRP routes on active ASA get deleted. Workaround: There are two workarounds, which are as given below- 1> Clear 'EIGRP Neighborship' on the ASA or the connected router. 2> Remove the 'ip summary-address' command from the connected router. Further Problem Description: Last Modified: 21-JUN-2016 Known Affected Releases: 100.7(6.118), 9.1(3) Known Fixed Releases: 100.10(0.28), 100.10(1.21), 100.10(2.1), 100.8(38.55), 100.8(40.35), 100.8(45.7), 100.8(52.2), 100.9(10.12), 9.0(3.100), 9.0(3.9) Alert Type: Updated * Bug Id: CSCva14570 Title: Crash on DATAPATH thread while framing PAT Xlate info to replicate FLOW Status: Other Severity: 2 Severe Description: * Symptom: ASA may crash at DATAPATH Thread while polulating PAT Xlate info to replicate FLOW. This can happen with HA/failover or Cluster flow replicate. Conditions: ASA application installed on FPR9300 Workaround: NONE Further Problem Description: Last Modified: 23-JUN-2016 Known Affected Releases: 9.5(2.2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCum70304 Title: FIPS self test power on fails - fipsPostDrbgKat Status: Fixed Severity: 2 Severe Description: Symptom: ERROR: FIPS Self-Test failure, fipsPostDrbgKat [1:0:-1:-1:0] *** *** --- SHUTDOWN NOW --- *** *** Message to all terminals: *** *** ERROR: FIPS Self-Test failure, fipsPostDrbgKat [1:0:-1:-1:0] Process shutdown finished Rebooting.... Conditions: upgrade to 9.1.2 Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.6), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux82835 Title: Nat pool exhausted observed when enabling asp transactional-commit nat Status: Fixed Severity: 2 Severe Description: Symptom: Syslogs observed: %ASA-3-202010: NAT pool exhausted. Unable to create ICMP connection from inside:90.90.90.2/0 to outside:4.2.2.2/0 %ASA-3-202010: NAT pool exhausted. Unable to create ICMP connection from inside:90.90.90.2/0 to outside:4.2.2.2/0 %ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:90.90.90.2/49167 to outside:10.105.130.1/80 %ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:90.90.90.2/49167 to outside:10.105.130.1/80 Also noticing udp section is missing for nat pool: ciscoasa# show nat pool TCP PAT pool outside, address 10.105.130.199, range 1-511, allocated 1 TCP PAT pool outside, address 10.105.130.199, range 512-1023, allocated 0 TCP PAT pool outside, address 10.105.130.199, range 1024-65535, allocated 0 ciscoasa# show run all xlate xlate per-session permit tcp any4 any4 xlate per-session permit tcp any4 any6 xlate per-session permit tcp any6 any4 xlate per-session permit tcp any6 any6 xlate per-session permit udp any4 any4 eq domain xlate per-session permit udp any4 any6 eq domain xlate per-session permit udp any6 any4 eq domain xlate per-session permit udp any6 any6 eq domain xlate block-allocation size 512 xlate block-allocation maximum-per-host 4 Conditions: 1. asp rule-engine transactional-commit nat is enabled on the ASA. 2. At least one static nat rule is created for port forwarding for the same public pool IP. Workaround: Disable asp transactional commit and then reload the ASA. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.106), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuy85243 Title: ASA traceback when receive Radius attribute with improper variable type Status: Fixed Severity: 2 Severe Description: Symptom: If the Radius attribute IE-Proxy-Server-Policy is passed back from a Radius server to the ASA for an AnyConnect VPN client, but it has an attribute type of "string" instead of "integer" then it will cause the ASA to crash. That attribute should be an integer as per the information at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-radius.html#32985 Conditions: ASA authenticating VPN users via Radius ISE/ACS Radius server with attribute IE-Proxy-Server-Policy tagged as a "string" type. Crash when debug crypto ikev1 or syslog message 713241 Workaround: 1) Delete the attribute from your Access Policies on your Radius server so it is no longer returned. 2) Not only does the attribute need to contain the value of an integer, but it should be tagged as an Integer type in the Radius attribute dictionary (In ISE = Policy > Policy Elements > Dictionaries). Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 8.4(7), 9.1(7) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux35538 Title: Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test Status: Fixed Severity: 2 Severe Description: Symptom: ASA may traceback in ctm_ssl_generate_key with VPN scaled test and DHE ciphers. Conditions: ASA VPN AnyConnect and Clientless SSL VPN scaled test. Workaround: None Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(6.107), 9.1(6.111) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.114), 9.1(6.113), 9.1(7), 9.1(7.5), 9.2(4.9), 9.4(2.106) Alert Type: Updated * Bug Id: CSCuy78802 Title: orignial master not defending all GARP packets after cluster split brain Status: Fixed Severity: 2 Severe Description: Symptom: - inter site cluster, ASA1 as master, ASA2 and ASA3 as slaves. - When connectivity is down for ASA3 CCL link, it will become master, and then sends GARP for the cluster IP and the physical IP pointing to its own MAC address - This GARP from ASA3 updates the table on the next hop router, traffic will start flowing through ASA3. - Also, this will reach ASA1. From ASA1 point of view, it is still the master and still holds the cluster IP, so it will respond to this packet with arp-defense sending a GARP for itself, correcting the ARP entries in the next hop router, debugs appears as follows: ! the old Master receives GARP from the new Master (5.5.5.10 is the Cluster IP): arp-in: request at inside from 5.5.5.10 f4cf.e200.30b3 for 5.5.5.10 f4cf.e200.30b3 having smac f4cf.e200.30b3 dmac ffff.ffff.ffff ! the old Master replies with GARP arp-send: arp request built from 5.5.5.1 f4cf.e200.3053 for 5.5.5.10 at 4146420 arp-defense: Sent gratuitous arp in response to arp collision on interface inside - the interesting part here is that ASA3 sends 6 GARP messages, and ASA1 reacts to them all execpt the 2nd one. - With the above, the next hop router and any other devices in this VLAN will get back to ASA1. - It doesn't matter how long we wait, ASA3 will stay as master and won't detect any failure - Once the CCL connectivity is back, ASA3 will move to disabled and then come back up as slave, again, this will not affect any traffic flowing through the original master which is ASA1 - in the case of CCL recovery before the 3rd GARP is sent, although the chance is very low, the surrounding devices will have the MAC address of ASA3, causing an outage. - another thing to note, 2nd GARP from ASA3 is sent in a very short time, less than 1 msec Conditions: ASA cluster Workaround: - clear ARP entries on the switch or set a small ARP expiration timeout - switch the cluster master to another unit and back Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(1), 9.5(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuy05949 Title: ASA: MAC address changes on active context when WRITE STANDBY is issued Status: Fixed Severity: 2 Severe Description: Symptom: In an Active-Active HA setup, when one group is active on the secondary ASA and a write standby command is issued, the mac-address changes for both the active and standby contexts in that group. Conditions: -multi-context HA pair -the write standby command should be issued on the active context of the secondary ASA. Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.132), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.2(4.9), 9.4(2.103), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuy13937 Title: ASA Watchdog traceback in CP Processing thread during TLS processing Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may crash and generate a traceback during TLS processing when TLS proxy is invoked in ASA versions 9.4(2)5 and 9.5(2) and later. Conditions: 1. ASA must be acting as a TLS proxy between two endpoints 2. Observed on ASA versions 9.4(2)5 and 9.5(2) and later releases in those trains Workaround: Downgrade to an earlier version or disable the TLS proxy feature Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(2.5), 9.5(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.129), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.3(3.171), 9.3(3.8) Alert Type: Updated * Bug Id: CSCuw55813 Title: Standby ASA traceback in Thread Name: EIGRP-IPv4 Status: Fixed Severity: 2 Severe Description: Symptom: Standby ASA crashing in Thread Name: EIGRP-IPv4 Conditions: ASA failover pair running EIGRP. Workaround: no workaround Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(1), 9.5(2.2) Known Fixed Releases: * 100.12(0.157), 100.13(0.130), 100.15(0.112), 9.3(3.171), 9.3(3.8), 9.4(2.101), 9.4(3), 9.5(2.6), 9.6(0.101), 9.6(1.99) Alert Type: Updated * Bug Id: CSCuw86358 Title: 9.5.2/main: Traceback in tmatch during AnyConnect IPv6 TPS w/ SSP Status: Fixed Severity: 2 Severe Description: Symptom: Traceback on SSP 3RU platforms when large number Anyconnect IPv6 VPN sessions are disconnected from the device. Conditions: Disconnecting a large number of Anyconnect IPv6 VPN sessions (close to 20K users) on SSP 3RU platforms Workaround: None Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 100.15(0.67), 100.16(1.44) Known Fixed Releases: * 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 9.5(2.14), 9.6(0.99), 9.6(1), 96.1(1.24), 96.1(5.4), 96.1(6.3) Alert Type: Updated * Bug Id: CSCuy36897 Title: Can't navigate to OWA 2013 due to ssl errors Status: Fixed Severity: 2 Severe Description: Symptom: OWA 2013 login page is not shown Conditions: - TLSv1.2 is enabled - EC certificate is used by OWA 2013 Workaround: - Use TLSv1 or TLSv1.1 Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 100.13(0), 9.6(1) Known Fixed Releases: * 100.13(0.132), 100.15(0.112), 9.4(2.103), 9.4(3), 9.6(1.99), 96.1(1.83), 96.2(1.144), 96.2(11.1), 97.1(0.4) Alert Type: Updated * Bug Id: CSCuy74218 Title: Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashed with DATAPATH thread. Conditions: ASA units in clustering. Firepower modules installed on each ASA unit. Firepower modules need to run in monitoring mode. Workaround: None. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(2.11), 9.5(2) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.106), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux71197 Title: "show resource usage" gives wrong number of routes after shut/no sh Status: Fixed Severity: 2 Severe Description: Symptom: when running in multiple context mode, shut/no shut on the interface will update the route resource usage, the ASA does not reset the counter, but add new routes, resulting in reaching the limit when there is high network fluctuation, route resource will eventually deplete and the ASA will fail to add routes, resulting in an outage Conditions: none Workaround: reload the ASA Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 100.8(40.111), 9.2(1), 9.2(4.8), 9.3(3.8), 9.4(2.165), 9.5(1), 9.5(2), 96.1(1.71) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 9.2(4.9), 9.4(2.102), 9.4(3), 9.5(2.6), 9.6(0.109), 9.6(1.99) Alert Type: Updated * Bug Id: CSCuy73652 Title: Traceback in thread name idfw when modifying object-group having FQDN Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in thread name idfw when modifying object-group having FQDN Conditions: Modifying an object-group having FQDN. Workaround: Restrict using FQDN objects, if possible Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuy41986 Title: OCSP validation fails when multiple certs in chain are verified Status: Fixed Severity: 2 Severe Description: Symptom: An error occurs while building an OCSP request while validating the certificate of a connecting client Conditions: - The size of the CA hierarchy must be at least 2 - Root cert is configured in a trustpoint that requires OCSP validation - The connecting client passes in the client certificate and the sub-ca certificate - The sub-ca certificates are not included in the configuration Workaround: Add the subordinate certificate(s) to the ASA configuration as authenticated trust points Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.2(4.5) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.8), 9.4(2.102), 9.4(2.11), 9.4(3) Alert Type: Updated * Bug Id: CSCuw51576 Title: SSH connections are not timed out on ASA (stuck in rtcli) Status: Fixed Severity: 2 Severe Description: Symptom: SSH connections are stuck and not able to open a new ssh connection to ASA. The issue can be potentially triggered irrelevant to failover or multi-context configuration. Conditions: ASA running software version 9.1.5.21 Workaround: Temporary workaround: reload the ASA Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.129), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.3(3.171), 9.3(3.8), 9.4(2.101) Alert Type: Updated * Bug Id: CSCuy95543 Title: Improve efficiency of malloc_avail_freemem() Status: Fixed Severity: 2 Severe Description: Symptom: No real symptom:.Improve efficiency of Change malloc_avail_freemem() The original symptom (High CPU usage) is now tracked by CSCuy94787. Conditions: Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2.6), 9.6(1) Known Fixed Releases: * 100.15(0.113), 9.5(2.7), 9.6(1.1), 9.6(1.99), 96.1(1.87), 96.2(1.167), 96.2(11.4), 97.1(0.8), 97.1(1.10), 97.1(2.8) Alert Type: Updated * Bug Id: CSCux08783 Title: CWS: ASA does not append XSS headers Status: Fixed Severity: 2 Severe Description: Symptom: User intermittently receive "access denied" messages when browsing through the Cisco Cloud Web Security service. Conditions: ASA Connector redirection to CWS. Workaround: Adding static egress IP(s) as Scanning IPs in the ScanCenter portal will prevent users from seeing the "access denied" messages, but user/group information will not be passed to the service, so policies will not be applied. Further Problem Description: This message does not reflect the default block page from CWS. Last Modified: 28-JUN-2016 Known Affected Releases: 9.2(4), 9.4(1) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.4(2.101), 9.4(3), 9.5(2.6) Alert Type: Updated * Bug Id: CSCux86769 Title: VLAN mapping doesn't work when connection falls back to TLS Status: Fixed Severity: 2 Severe Description: Symptom: VLAN mapping doesn't take affect. Internal resources are no longer accessible after upgrading to 9.5.x Conditions: - ASA 9.5.x - DTLS is blocked in the path somwhere, causing connection to fall back to TLS - DTLS is enabled on the ASA so the client tries to establish a DTLS connection Workaround: 1. disable DTLS on the ASA so all connection attempts use TLS only. This could lead to performance issues. or 2. downgrade the ASA to 9.4.x Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2), 96.1(1.56) Known Fixed Releases: * 100.15(0.112), 9.5(2.6), 9.6(0.104), 9.6(1.99), 96.1(1.78), 96.2(1.130), 97.1(0.1) Alert Type: Updated * Bug Id: CSCuy01438 Title: ASA traceback with SIP inspection and SFR enabled in 9.5.2 Status: Fixed Severity: 2 Severe Description: Symptom: Crash seen in 9.5.2 with SIP enabled Conditions: SIP and SFR enabled on the ASA after 9.5.2 Workaround: NA Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.112), 9.5(2.7), 9.6(1.1), 9.6(1.99), 96.1(1.86), 96.2(1.158), 96.2(11.2), 97.1(0.6), 97.1(1.8), 97.1(2.5) Alert Type: Updated * Bug Id: CSCuy21206 Title: Traceback when drop is enabled with diameter inspection and tls-proxy Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash while replicating flow Conditions: Configure NAT in ASA which is part of clustering. While an xlate is created, then xlate is updated to the other cluster units, which triggers this crash. Workaround: Avoid NAT configuration in clustering/HA environment Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 96.1(1.68) Known Fixed Releases: * 100.15(0.114), 9.5(2.210), 9.5(2.7), 9.6(0.99), 9.6(1), 9.6(1.99), 96.1(1.74), 96.1(1.88), 96.2(1.124), 96.2(1.175) Alert Type: Updated * Bug Id: CSCuy65416 Title: assert "ctm->async_ref == 0" failed: file "ssl_common.c", line 193-part2 Status: Fixed Severity: 2 Severe Description: Symptom: ASA may traceback during an SSL VPN stress test Conditions: SSL VPN stress test Workaround: none Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(2.102) Known Fixed Releases: * 100.12(0.158), 100.13(0.134), 100.15(0.112), 9.4(2.105), 9.4(2.106), 9.4(3), 9.5(2.7), 9.6(0.129), 9.6(1.1), 9.6(1.99) Alert Type: Updated * Bug Id: CSCus37458 Title: ASA traceback in Thread name DATAPATH when handling multicast packet Status: Fixed Severity: 2 Severe Description: Symptom: ASA or ASASM traceback in Thread name DATAPATH Conditions: ASASM/ASA running software version 9.3(2), 9.4(2.6), 9.5(1), 9.5(2.2). Other versions can be affected as well. Workaround: We believe that the issue is not present in the 9.3(1.1) release, but downgrade to this release is not recommended due to various reasons, including security reasons (PSIRT issues) and limited support lifetime of the 9.3(1) release train. Further Problem Description: The crash happens during forwarding of multicast packets. So far the crash was observed for the following protocols: WS-Discovery (UDP/3702), Service Location Protocol (UDP/427), Simple Service Discovery Protocol (UDP/1900). One possible workaround would be to block multicast traffic for these protocols on neighboring routers/switches so that it doesn't reach ASA, or block all multicast traffic and allow only production multicast traffic. Last Modified: 28-JUN-2016 Known Affected Releases: 9.3(2), 9.4(2.6), 9.5(1), 9.5(2.2) Known Fixed Releases: * 100.13(0.137), 100.15(0.115), 9.4(3.1), 9.5(2.7), 9.6(1.1), 9.6(1.99), 96.1(1.89), 96.2(1.179), 96.2(11.9), 97.1(0.12) Alert Type: Updated * Bug Id: CSCuy11905 Title: ASA 5585 traceback when the User name is mentioned in the Access list Status: Fixed Severity: 2 Severe Description: Symptom: When the user Identity is configured in the access list the ASA crashes Below is the configuration made object-group network CSM_INLINE_dst_rule_365072238634 description Generated by CS-Manager from dst of UnifiedFirewallRule# 13 (Local) network-object object CAERPDBP-N2 network-object object CAERPDBP-N1 access-list outside_access_in line 24 remark Permit - BI Team to ERP servers for management JK 1-24-15 access-list outside_access_in line 25 extended permit tcp user asm\jeff.kreinest any4 object-group Conditions: Whenever the User Identity is configured the ASA crashes. When total number of users created exceeds the maximum number of the system. Workaround: NA Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 99.1(1.91) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.129), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.3(3.171), 9.3(3.8), 9.4(2.101) Alert Type: Updated * Bug Id: CSCuz14875 Title: ASA RIP crashes when using address-family subconfiguration Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes every time when configuring the address-family under the RIP process: router rip address-family ipv4 ! Conditions: ASA running 9.6(1) code. Workaround: Not use address-family type of configuration Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 9.6(1.99), 96.2(0.2), 96.2(1.181), 96.2(11.10), 97.1(0.12), 97.1(1.21), 97.1(2.44), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCva20477 Title: PAT xlate does not delete after idle timeout Status: Open Severity: * 2 Severe Description: Symptom: Two issues (might be related) : 1) PAT xlate does not delete after idle timeout. We already made sure that the xlates did not have any existing connection attached to any connections. This is what we see : UDP PAT from inside:10.a.b.x/61199 to any:x.x.x.x/61199 flags ri idle 46:26:42 timeout 0:01:00 UDP PAT from inside:10.b.c.y/56259 to any:y.y.y.y/56259 flags ri idle 47:26:40 timeout 0:01:00 UDP PAT from inside:10.c.d.z/56482 to any:z.z.z.z/56482 flags ri idle 47:26:42 timeout 0:01:00 UDP PAT from inside:10.e.f.w/50786 to any:w.w.w.w/50786 flags ri idle 46:23:40 timeout 0:01:00 timeout in this case was 1 minute. 2) xlate count and number of xlates as per "show xlate", does not match. "show xlate count" shows : 242987 in use, 258596 most used But "show xlate" shows 6534 lines. "show resource usage all" also shows the same count as "xlate count" Xlates 242797 258596 unlimited 0 wlan Conditions: Condition # 1 : Check if NAT has such entries with "Any" keyword. nat (inside,any) dynamic x.x.x.x nat (inside,any) dynamic y.y.y.y Condition # 2: Unknown. Workaround: Workaround for #1 : Change the "any" to specific interface for each such NAT rule. Workaround # 2: Unknown. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz01658 Title: Traceback in gtp_remove_request with duplicate requests Status: Fixed Severity: 2 Severe Description: Symptom: ASA may crash if a race condition is hit. ASA needs to be configured with clustering and crashed unit is slave. Conditions: Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.6(0.128) Known Fixed Releases: * 100.15(0.113), 9.5(2.7), 9.6(1.1), 9.6(1.99), 96.1(1.87), 96.2(1.169), 96.2(11.4), 97.1(0.9), 97.1(1.11), 97.1(2.8) Alert Type: Updated * Bug Id: CSCuy07753 Title: Smart tunnel does not work since Firefox 32bit version 43 Status: Fixed Severity: 2 Severe Description: Symptom: Smart tunnel functionality does not work with Firefox 43 or newer. There is no prompt if the user wishes to forward the browser traffic via the smart tunnel. Instead, browser tries to forward the traffic locally. Conditions: Firefox 43 or newer. Workaround: Use different browser or downgrade Firefox browser. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4 Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.106), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuz08625 Title: ASA traceback in SSH thread Status: Fixed Severity: 2 Severe Description: Symptom: A issue in the displaying of captures network trace files over a Secure Shell (SSH) connection with the Cisco Adaptive Security Appliance (ASA) Software could the SSH process to unexpectedly restart. The issue is due to lack of proper input validation of certain captured UDP packets. Conditions: The default configuration of the affected device. Workaround: None. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(2.3), 9.5(2) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 9.2(4.11), 9.4(3.1), 9.5(2.235), 9.5(2.7), 9.6(1.1), 9.6(1.99), 96.2(0.4), 96.2(11.11) Alert Type: Updated * Bug Id: CSCuz66661 Title: ASA Cut-through Proxy inactivity timeout not working Status: Fixed Severity: 2 Severe Description: Symptom: ASA running 9.1.6 and 9.1.7.4 will not clear uauth entries after uauth idle timeout is reached: ASA/admin# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 1 user 'XXXXXXX' at Y.Z.24.249, authenticated (idle for 0:00:14) absolute timeout: 0:10:00 inactivity timeout: 0:02:00 ASA/admin# show conn all | i Y.Z.24.249 TCP backbone Y.Z.24.249:50175 NP Identity Ifc W.X.203.13:443, idle 0:00:04, bytes 3582, flags UOB Inactivity idle is crossed and uauth entry remains: ASA/admin# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 1 user 'XXXXXXX' at Y.Z.24.249, authenticated (idle for 0:02:02) absolute timeout: 0:10:00 inactivity timeout: 0:02:00 ASA/admin# show conn all | i 9.78.24.24 TCP backbone Y.Z.24.249:50175 NP Identity Ifc W.X.203.13:443, idle 0:00:04, bytes 3582, flags UfFROB Uauth entry is ultimately cleared after the absolute timeout is reached: ASA/admin# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 1 user 'XXXXXXX' at Y.Z.24.249, authenticated (idle for 0:10:00) absolute timeout: 0:10:00 inactivity timeout: 0:02:00 Conditions: > ASA running code 9.1.6 and 9.1.7.4 > ASA configured with Cut-through proxy authentication > ASA is running in multi-context mode Workaround: None. Further Problem Description: Last Modified: 29-JUN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.13(0.142), 100.15(0.121), 100.8(40.121), 9.5(2.12), 9.6(1.99), 96.2(0.50), 97.1(0.20), 97.1(1.57), 97.1(10.1), 97.1(2.47) Alert Type: Updated * Bug Id: CSCva26581 Title: ASA5585 9.4.2.3 Device crashed Status: Other Severity: 2 Severe Description: * Symptom: ASA5585 v9.4(2)3 in single mode crashes in Thread 0 in thread group. Conditions: v9.4(2)3 Workaround: Further Problem Description: Last Modified: 29-JUN-2016 Known Affected Releases: 9.4(2.3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux70784 Title: ASA traceback while viewing large ACL Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload when viewing an ACL that has a lot of remarks in the configuration. In testing, this appears to happen when running a command such as 'show access-list' Conditions: Cisco ASA running release 9.4.1 and later. This has been seen in a configuration which contains over 65k remarks. Workaround: Do not use many remarks or clean up the existing remark to avoid significant numbers of remarks. Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.4(1), 9.5(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.1(7.7), 9.2(4.11), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCur68862 Title: GNU libtasn1 asn1_get_bit_der() Incorrect Length Report Code Execution Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3468 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3468 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 30-JUN-2016 Known Affected Releases: * 2.0(1), 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur68864 Title: GNU libtasn1 NULL Pointer Dereference Denial of Service Vulnerability Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3469 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3469 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 30-JUN-2016 Known Affected Releases: * 2.0(1), 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur68863 Title: GNU libtasn1 Multiple Buffer Boundary Checks Denial of Service Vulnera Status: Other Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3467 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-3467 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 30-JUN-2016 Known Affected Releases: * 2.0(1), 9.3(2), 9.3(2.200), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz36938 Title: Traceback on editing a network object on exceeding the max snmp hosts Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes while we try to modify a network object used in snmp-server hosts config, on exceeding the max limit of supported SNMP hosts. Conditions: Only when we modify the existing network object to a /8 subnet (255.0.0.0) , we do not see the max limit error, ASA hangs and then produces a traceback. Workaround: None. Further Problem Description: Related config : object network snmphosts subnet 10.1.1.0 255.255.255.0 snmp-server host-group mgt snmphosts poll community ***** version 2c Crash was not seen when we configured a /16 subnet (even though that exceeded the max limit as well) : dblab01OBF10/pri(config)# object network snmphosts dblab01OBF10/pri (config-network-object)# subnet 10.1.0.0 255.255.0.0 ERROR: Total number of hosts in the system will exceed the MAX limit ERROR: object (SNMPHosts1) updation failed due to internal error Only when we configure a /8 subnet, we do not see the error, ASA hangs and then produces a traceback. object network snmphosts subnet 10.0.0.0 255.0.0.0 <<<<<<<<>>>>>>>>>> Last Modified: 30-JUN-2016 Known Affected Releases: 9.1(6.11), 9.1(7), 9.1(7.4) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 100.8(40.119), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.6(1.99), 96.2(0.17), 96.2(11.13), 97.1(0.15) Alert Type: Updated * Bug Id: CSCuz21068 Title: CSCOPut_hash can initiate unexepected requests Status: Fixed Severity: 2 Severe Description: Symptom: - Customer is able to access his portal. - Accessing certain tabs within his portal causes failures. The new tab will load and then disappear. - This only happens on Firefox and Chrome. Internet explorer works fine. - Entire site works when not accessed through clientless portal bookmark Conditions: - Using rewriter on clientless portal with Chrome and Firefox Workaround: - Use Internet Explorer - Bypass rewriter Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 100.8(40.118), 9.1(7.7), 9.2(4.10), 9.4(2.112), 9.4(3), 9.5(2.7), 9.6(1.1) Alert Type: Updated * Bug Id: CSCuz14808 Title: 5585-10 traceback in Thread Name: idfw_proc Status: Fixed Severity: 2 Severe Description: Symptom: ASA5585-SSP-10 is crashing in Thread Name: idfw_proc Conditions: running software version 9.6(1) Workaround: N/A Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.13(0.142), 100.15(0.122), 100.8(40.121), 9.1(7.7), 9.5(2.12), 9.6(1.99), 96.2(0.52), 97.1(0.20), 97.1(1.59), 97.1(2.47) Alert Type: Updated * Bug Id: CSCuz09394 Title: infinite loop in JS rewriter state machine when return followed by var Status: Fixed Severity: 2 Severe Description: Symptom: after clicking on a bookmark, the page seems to load(there's a spinning icon) and then after a while the spinning icon stops spinning but the page stays blank. Conditions: Page has a js file that can result in an infinte loop for the webvpn rewriter Workaround: Use APCF Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.115), 100.8(40.118), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.5(2.7), 9.6(1.1), 9.6(1.99) Alert Type: Updated * Bug Id: CSCuz10371 Title: ASA Traceback and reload by strncpy_sx.c Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload unexpectedly. The output of 'show crash' may indicate that the thread that caused the crash is labelled as 'idfw_proc' and the faulting action is unknown. This is different than bug CSCuy03024 in which the faulting action is Page Fault. Conditions: - First observed in ASA running code 9.5.2 and then also in 9.5.2.5 - The crash was triggered during the synchronization from active to passive unit in fail over pair. The passive unit when receiving the configuration crashed. Workaround: N/A Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.1(2), 9.5(2), 9.5(2.5) Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.1(7.7), 9.2(4.9), 9.4(2.111), 9.4(3), 9.5(2.7), 9.6(1.1) Alert Type: Updated * Bug Id: CSCux29842 Title: Primary and Secondary ASA in HA is traceback in Thread Name:DataPath Status: Fixed Severity: 2 Severe Description: Symptom: 40% of the sessions were dropped during failover due to crash. Conditions: Failover enabled. Workaround: Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.1(3), 9.3(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.7), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.235) Alert Type: Updated * Bug Id: CSCuy96391 Title: ASA clientless rewriter failure at 'CSCOPut_hash' function Status: Fixed Severity: 2 Severe Description: Symptom: When clicking on bookmark within webportal, the resulting page does not display. Conditions: This issue was observed with the following: -ASA 9.2.2.4 -Issue seen with clientless only, not with AnyConnect Workaround: Use AnyConnect instead of clientless Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.1(6), 9.2(2.4) Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.1(7.7), 9.2(4.9), 9.4(2.112), 9.4(3), 9.5(2.7), 9.6(1.1) Alert Type: Updated * Bug Id: CSCuz52474 Title: Evaluation of pix-asa for OpenSSL May 2016 Status: Fixed Severity: 2 Severe Description: Symptom: This product includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176 And disclosed in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl This bug has been opened to address the potential impact on this product. Conditions: Cisco ASA running release 9.0 or later may be affected by the following vulnerabilities. Exposure is not configuration dependent. Padding oracle in AES-NI CBC MAC check CVE-2016-2107 Memory corruption in the ASN.1 encoder CVE-2016-2108 ASN.1 BIO excessive memory allocation CVE-2016-2109 The ASA is not affected by the following vulnerabilities: EVP_EncodeUpdate overflow CVE-2016-2105 EVP_EncryptUpdate overflow CVE-2016-2106 EBCDIC overread CVE-2016-2176 Devices running versions prior to 9.0 may be affected by one or more of these vulnerabilities. These releases have not been extensively investigated. All releases prior to 9.0 have reached End of Software Maintenance and will not receive updates. Workaround: None Further Problem Description: ASA versions previous to 9.0 have all reached End of Software Maintenance by Cisco and may be affected by one or more of these vulnerabilities. Combined with the fact that they use version 0.9.8 of OpenSSL (support for which ended in December 2015), no updates will be made for those versions. Customers are advised to upgrade to version 9.1 or later. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base CVSS score as of the time of evaluation is: 5.1 https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:H/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:ND The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. The score reflects the maximum score for all the vulnerabilities mentioned in this bug information Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 01-JUL-2016 Known Affected Releases: 6.0, 9.0, 9.1(2), 9.2, 9.2(1), 9.3, 9.3(2), 9.4, 9.4(1), 9.5 Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.1(7.7), 9.2(4.11), 9.4(3.2), 9.5(2.12), 9.6(1.99), 96.2(0.36), 96.2(11.17), 97.1(0.17) Alert Type: Updated * Bug Id: CSCuz21178 Title: ASA traceback in threadname ssh Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback due to threadname ssh Conditions: ASA traceback due to threadname ssh Workaround: none Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.4(2.11) Known Fixed Releases: * 100.13(0.141), 100.13(0.143), 100.15(0.119), 100.15(0.124), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.38), 96.2(0.62), 97.1(0.18) Alert Type: Updated * Bug Id: CSCuz70330 Title: ASA: SSH being denied on the ASA device as the maximum limit is reached Status: Fixed Severity: 2 Severe Description: Symptom: ASA device denying SSH connections and shows the maximum limit reached message Conditions: This is only seen with the SSH connections as Telnet , ASDM works fine Workaround: Have to do a failover or reload in case of a standalone deployment Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(7.4), 9.3(3), 9.3(3.1) Known Fixed Releases: * 100.13(0.142), 100.15(0.120), 100.8(40.121), 9.1(7.7), 9.5(2.12), 9.6(1.99), 96.2(0.48), 97.1(0.20), 97.1(1.55), 97.1(1.76) Alert Type: Updated * Bug Id: CSCuy54567 Title: Evaluation of pix-asa for OpenSSL March 2016 Status: Fixed Severity: 2 Severe Description: Symptom: Cisco Adaptive Security Appliance (ASA) includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 CVE-2016-0705 CVE-2016-0798 CVE-2016-0797 CVE-2016-0799 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 And disclosed in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. Cisco has reviewed and concluded that this product is affected by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption CVE-2016-0799 - Fix memory issues in BIO_*printf functions CVE-2016-0702 - Side channel attack on modular exponentiation CVE-2016-0705 - Double-free in DSA code This product is not affected by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN) CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2 CVE-2016-0704 - Bleichenbacher oracle in SSLv2 CVE-2016-0798 - Memory leak in SRP database lookups Workaround: Not available. Further Problem Description: Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base CVSS score as of the time of evaluation is: 4.3 https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:ND The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 01-JUL-2016 Known Affected Releases: 6.0, 8.0, 9.0, 9.1(2), 9.2(1), 9.3(2), 9.3(2.200), 9.4(1), 9.5(2), 9.6(2) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 9.1(7.7), 9.2(4.11), 9.4(3.2), 9.5(2.12), 9.6(1.99), 96.2(0.36), 96.2(11.17), 97.1(0.17) Alert Type: Updated * Bug Id: CSCuz04534 Title: Memory leak in 112 byte bin when packet hits PBR and WCCP rules Status: Fixed Severity: 2 Severe Description: Symptom: Memory usage on ASA increases over a period of time Conditions: 1. Policy Based Routing is applied on an interface. 2. WCCP redirection is enabled on the same interface, where PBR is applied. 3. ASA receives traffic that hits both PBR access-list and WCCP redirect rule. Workaround: Exclude the traffic redirected to WCCP server from the PBR access-list. Note that not all traffic selected by the WCCP redirect-list is redirected to WCCP server. WCCP Server "informs" the ASA what TCP port numbers should be redirected to it. How to find out what TCP port traffic is redirected to WCCP Server ================================================================== Run the command "show wccp service". An output similar to following should be shown. WCCP service information definition: Type: Dynamic Id: 90 Priority: 240 Protocol: 6 Options: 0x00000011 -------- Hash: SrcIP Alt Hash: -none- Ports: Destination:: 80 443 0 0 0 0 0 0 <=== In above example, TCP traffic to ports 80 and 443 are redirected to the WCCP server. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.4(1), 9.5(2.6), 9.6(1) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 9.4(3.1), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.16), 96.2(11.13), 97.1(0.15), 97.1(1.34) Alert Type: Updated * Bug Id: CSCuy63642 Title: ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524" Status: Fixed Severity: 2 Severe Description: Symptom: ASA5585 running version 9.1(6) encounters traceback with thread name "DATAPATH-2-1524" Conditions: ASA5585 running 9.1(6) Workaround: None so far Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(6), 9.4(2.3) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.29) Alert Type: Updated * Bug Id: CSCuz16498 Title: Error messages on console "ERROR: Problem with interface " Status: Fixed Severity: 2 Severe Description: Symptom: When there is QoS configuration on the ASA, errors like below might be seen on the console: ERROR: Problem with interface 2 ERROR: Problem with interface 3 ERROR: Problem with interface 4 ERROR: Problem with interface 5 ERROR: Problem with interface 6 ERROR: Problem with interface 7 ERROR: Problem with interface 8 ERROR: Problem with interface 9 ERROR: Problem with interface 10 ERROR: Problem with interface 11 ERROR: Problem with interface 12 Conditions: QoS must be configured to encounter this problem Workaround: N/A Further Problem Description: N/A Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(2.2) Known Fixed Releases: * 9.6(1.5), 9.6(1.99), 96.2(0.23), 96.2(11.16), 97.1(0.16), 97.1(1.37), 97.1(1.76), 97.1(10.1), 97.1(2.44), 97.1(2.49) Alert Type: Updated * Bug Id: CSCux33726 Title: ASA traceback - WebVPN CIFS_file_rename_remove operations Status: Fixed Severity: 2 Severe Description: ASA may traceback with high stress Clientless SSL VPN CIFS-RAMFS file operations (browse, add, remove, delete). Symptom: Conditions: ASA may traceback with Clientless SSL VPN CIFS-RAMFS file operations (browse, add, remove, delete) when perfromed under a high stressful conditions. Workaround: Clientless SSL VPN and File operations. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 100.13(32.2), 8.4, 9.1(6.107), 9.1(6.111), 9.1(6.112), 9.3(3.227), 9.3(3.229), 9.4(2.104), 9.5(2), 9.6(0.126) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 100.8(40.118), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.5(2.7), 9.6(1.5), 9.6(1.99), 96.2(0.7) Alert Type: Updated * Bug Id: CSCuy00296 Title: Traceback in Thread: IPsec message handler Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in Thread Name: IPsec message handler Conditions: No specific condition triggering this issue as of now. Workaround: None at this time Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.2(2.4), 9.5(2) Known Fixed Releases: * 100.13(0.141), 100.15(0.119), 100.8(40.120), 9.1(7.7), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.40), 97.1(0.18), 97.1(1.50) Alert Type: Updated * Bug Id: CSCuz30425 Title: Network command disappears from BGP after reload with name Status: Fixed Severity: 2 Severe Description: Symptom: Network command disappears from BGP after reload with name Conditions: Issue is only seen when a name has been configured (name 2.2.2.0 Production-20-0) Workaround: remove name from the configuration (name 2.2.2.0 Production-20-0) Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 9.2(4.11), 9.4(3.1), 9.5(2.7), 9.6(1.5), 9.6(1.99), 96.2(0.8), 96.2(11.12), 97.1(0.13) Alert Type: Updated * Bug Id: CSCuz67349 Title: ASA Cluster fragments reassembled before transmission with no inspection Status: Fixed Severity: 2 Severe Description: Symptom: -- Some none inspected fragmented traffic passing through an ASA Cluster is reassembled. Conditions: -- ASA configured in Cluster mode with at least two units in the cluster. -- inspection disabled for the specified traffic (inspected traffic is expected to be reassembled). Workaround: -- This is not an issue as it is, however, if MTU on the receiving host is not consistent with the MTU throughout the network the host will drop the reassembled packet. -- it is always recommended to have consistent MTU configured throughout the network and on end hosts (servers and clients). Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.141), 100.15(0.119), 100.8(40.120), 9.1(7.7), 9.2(4.11), 9.5(2.10), 9.6(1.5), 9.6(1.99), 96.2(0.36), 96.2(11.17) Alert Type: Updated * Bug Id: CSCuz40081 Title: ASA memory leak due to vpnfo Status: Fixed Severity: 2 Severe Description: Symptom: ASA memory utilization high due to memory leak in Occam_arena_get_block Conditions: HW: ASA 5580 in a failover SW: 9.1.6 Workaround: Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(6), 97.1(9.5) Known Fixed Releases: * 100.13(0.141), 100.15(0.120), 100.8(40.121), 9.1(7.7), 9.5(2.12), 9.6(1.99), 96.2(0.48), 97.1(0.20), 97.1(1.55), 97.1(1.76) Alert Type: Updated * Bug Id: CSCuv09640 Title: ASA: "Auto-Enable" feature not working with SSH configured with PKF Status: Fixed Severity: 3 Moderate Description: Symptom: "Auto-enable" feature does not work with ASA device configured with the SSH PKF feature Conditions: ASA SSH configured with the PKF feature Workaround: Don't use the "auto-enable" command with SSH PKF feature Further Problem Description: Last Modified: 03-JUN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.134), 100.13(0.90), 100.14(0.68), 100.15(0.112), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4), 100.15(2.75), 100.15(3.20) Alert Type: Updated * Bug Id: CSCue76147 Title: Cisco ASA CSC-SSM HTTPS Denial of Service Vulnerability Status: Fixed Severity: 3 Moderate Description: * Symptom: A vulnerability in the HTTPS inspection engine of the Cisco ASA Content Security and Control Security Services Module (CSC-SSM) could allow an unauthenticated, remote attacker to cause exhaustion of available memory, system instability, and a reload of the affected system. The vulnerability is due to improper handling of HTTPS packets transiting through the affected system. An attacker could exploit this vulnerability by sending HTTPS packets through the affected system at high rate. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160309-csc Conditions: See security advisory Workaround: See security advisory Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2016-1312 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 08-JUN-2016 Known Affected Releases: 6.6(1125.0) Known Fixed Releases: 6.6(1157), 6.6(1164) Alert Type: Updated * Bug Id: CSCuz90778 Title: Cisco IP Phones fail to connect to ASA in multi-context mode. Status: * Other Severity: * 3 Moderate Description: Symptom: -SSLVPN connection from Cisco IP phones are failing when the error as "anyconnect_unsupported_version.html" -On the ASA we used the latest version of AnyConnect package. -Cisco AnyConnect clients are able to connect successfully to the ASA. -Customer is using Cisco IP phones model 7942 running on version SCCP42.9-4-2-1S and 8851 running on 10-3-1-20 Conditions: -ASA acting as headend for webvpn connections running on version 9.6(1) -Webvpn configured on the outside interface with the latest AnyConnect package. Workaround: NA Further Problem Description: NA Last Modified: 09-JUN-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur51051 Title: LU allocate connection failed on the Standby ASA unit Status: Fixed Severity: 3 Moderate Description: Symptom: ASA-3-210005: LU allocate connection failed syslog on the Standby Unit. Mismatch in number of connections on the Active/Standby Units Conditions: ASA running in HA pair Active/Standby Workaround: Try to fail-over the devices and that resolves the issue. During a live debugging session, it was observed that the first "wr standby" caused hundreds of the "Failed to replicate flow" error messages. If you executed "wr standby" again immediately after it was done sync'ing, I saw just 20. It may be possible that if you execute it multiple times one after the other, then it will sync completely. Further Problem Description: None Last Modified: 09-JUN-2016 Known Affected Releases: 9.1(5.19) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(26.9), 100.14(4.38) Alert Type: Updated * Bug Id: CSCux64137 Title: ASA NTP Documentation Clarification Status: Fixed Severity: 3 Moderate Description: * Symptom: This is a documentation issue for the Cisco Adaptive Security Appliance (ASA). ntp authenticate does not enforce authentication, it enables it. There are interdependent commands which must also be enable to create authenticated NTP sessions. The Usage Guidelines are unclear on this point. To ensure an authenticated ntp session, one must 1) enable authentication: ntp authenticate 2) create an ntp key ntp authentication-key key_id md5 key 3) The key must be associated with the ntp server command ntp server ip-address key key-id Conditions: Documentation bug Workaround: Not applicable or available. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 23-JUN-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy81417 Title: Coverity 114307: RESOURCE_LEAK in sl_ipc_send_res_disable_msg Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 24-JUN-2016 Known Affected Releases: 97.1(1.5) Known Fixed Releases: * 96.2(1.178), 96.2(11.9), 97.1(0.11), 97.1(1.18), 97.1(2.44), 97.1(3.5), 97.1(5.6) Alert Type: New Bug Id: CSCva21493 Title: DOC:ASA only polls Scansafe tower from admin context in multi context Status: Fixed Severity: 3 Moderate Description: Symptom: Cisco ASA running in multiple context active/active mode only supports operation of Scansafe Cloud Web Security Connector feature on the Primary ASA. Under normal operation, the Secondary ASA does not forward traffic to the Scansafe Cloud Web Security Towers. The Scansafe Cloud Web Security Connector tracks CWS Tower reachability status using the ASA admin context running on the Primary ASA in an active/active failover pair; security contexts configured to use the Scansafe Cloud Web Security Connector are dependent on the reachability status reported by the admin context operating on the local ASA. The Scansafe Cloud Web Security Connector on the Secondary ASA standby admin context remains dormant and always reports CWS Tower reachability status as ?unreachable?. Because security contexts active on the Secondary ASA obtain CWS tower reachability status from the admin context on the local ASA (i.e. the Secondary ASA) security contexts active on the Secondary ASA will always report the CWS Tower reachability status as ?unreachable? even when the Primary ASA admin context correctly reports the CWS Tower reachability status as ?reachable?. In a failover scenario, the admin context on the Secondary ASA becomes active and will correctly report CWS Tower reachability, allowing security contexts active on the Secondary ASA to correctly determine CWS tower reachability status. Conditions: The limitation affects Cisco ASA Scansafe Cloud Web Security Connector when used on ASA pairs operating in multi-context active/active mode as per the following general scenario: ASA-1 and ASA-2 are configured in multi-context mode with two contexts; CONTEXT-A and CONTEXT-B. The admin context and security context CONTEXT-A are active on ASA-1. The security context and CONTEXT-B are active on ASA-2. The admin context on ASA-1 runs the Scansafe Cloud Web Security Connector and correctly tracks CWS Tower reachability status as ?reachable?. The security context CONTEXT-A obtains the CWS Tower status of ?reachable? from the local admin context and correctly forwards traffic to Scansafe Cloud Web Security. The admin context on ASA-2 remains dormant and continues report the CWS Tower reachability status as ?unreachable?. The security context CONTEXT-B obtains the CWS Tower status of ?unreachable? from the local admin context and does not forward traffic to Scansafe Cloud Web Security. Workaround: When operating Cisco ASA in multiple context active/active mode, security contexts that require the Scansafe Cloud Web Security feature should be confined to the Primary Cisco ASA. Further Problem Description: Last Modified: 24-JUN-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: Alert Type: New Bug Id: CSCva23218 Title: ASA: aaa authorization exec "auto-enable" not working Status: Open Severity: 3 Moderate Description: Symptom: ASA configured to automatically give users that successfully authenticate via any method to be granted privileged-exec mode. However when authentication is successful only users that are configured with a local username and password are granted privileged-exec access. If a user uses any other method (radius/tacacs/PKI) the user is only granted to exec mode, and still needing to input the enable password to break into privileged-exec mode. 'auto-enable' appears to be broken for any other method besides username/password local auth. Conditions: Observed on ASA 9.5.2 and believe this would effect all trains since the 'auto-enable' command has been inducted (9.2.1). Observed on the Kenton platform, believed to be effecting all hardware platforms. ASA configured to 'auto-enable' users via any method, but functionality only works with username/password Workaround: Use local username/password to login if needing to 'auto-enable' Otherwise none Further Problem Description: Last Modified: 26-JUN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy30069 Title: ASA 9.5.2 does not send CERT_REQ for 512-bit certificate Status: Fixed Severity: 3 Moderate Description: Symptom: Client fails to complete ssl handshake Conditions: Client machine uses SHA512 based certificate. ASA is running affected version. server certificate uses SHA512 based certificate. Workaround: Use a SHA256/SHA384 certificate Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.130), 9.4(2.101), 9.4(3), 9.5(2.6), 9.6(0.101), 9.6(1.99), 96.1(1.76), 96.2(1.128) Alert Type: Updated * Bug Id: CSCuy62198 Title: If FQDN is more than 64 chars then we redirect to ip instead of FQDN Status: Fixed Severity: 3 Moderate Description: Symptom: When clicking the Start Anyconnect link, you get a certificate warning. Conditions: This happens when connecting to an ASA with a FQDN longer than 64 characters. The reason for the certificate warning is that the ASA responds with a redirect to ip instead of to FQDN causing the certificate name to not match. Workaround: Shorten the ASA FQDN to less then 64 characters Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(1.203) Known Fixed Releases: * 100.11(0.71), 100.12(0.158), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.4(2.109), 9.4(3), 9.6(1.99), 96.1(1.88), 96.2(1.171) Alert Type: Updated * Bug Id: CSCux39988 Title: Different output of BVI address in transparent mode on failover pair Status: Fixed Severity: 3 Moderate Description: Symptom: Different output of BVI ip address when execute show interface and show interface ip brief at standby unit. Conditions: ASA Failover + transparent mode Workaround: NA Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(6.10), 9.5(1.5) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.15(0.113), 100.8(40.110), 9.4(2.99), 9.4(3), 9.6(1.99), 96.1(1.87) Alert Type: Updated * Bug Id: CSCux82023 Title: Stub Connections Torn Down due to Shun/Threat Detection in ASA Cluster Status: Fixed Severity: 3 Moderate Description: Symptom: An ASA in cluster mode w/ threat detection enabled may erroneously tear down stub connections when issuing a shun for another host. Conditions: 1. Running ASA in cluster mode 2. Threat detection enabled 3. Threat detection issuing a shun against a host due to being identified as a scanning threat Workaround: Disable the threat detection feature Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.4(2.107), 9.4(3), 9.6(1.99), 96.1(1.86), 96.2(1.163) Alert Type: Updated * Bug Id: CSCux99392 Title: Uploaded/downloaded files via CIFS have Zero Byte size (same WebFolder) Status: Fixed Severity: 3 Moderate Description: Symptom: File sharing through CIFS protocol on WebVPN portal is failing. Any downloaded or uploaded file has zero byte size. Conditions: The symptom is observed for users running ASA with 9.5.2 image or later Workaround: No workaround Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2), 96.1(1.45) Known Fixed Releases: * 100.12(0.157), 100.13(0.132), 100.15(0.112), 9.4(2.102), 9.4(3), 9.5(2.6), 9.6(0.115), 9.6(1.99), 96.1(1.81), 96.2(1.139) Alert Type: Updated * Bug Id: CSCuy19933 Title: ASA rewriter incorrectly handle HTML code of type <base>xxx</base> Status: Fixed Severity: 3 Moderate Description: Symptom: On the latest browsers RDWeb page is not rendered properly. Conditions: ASA using WebVPN Workaround: none Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.116), 9.6(1.99), 96.2(0.4), 96.2(11.11), 97.1(0.12), 97.1(1.23), 97.1(2.44), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCuy58084 Title: Unable to configure a user for ssh public auth only (tied w/ CSCuw90580) Status: Fixed Severity: 3 Moderate Description: Symptom: Previous to the fix for CSCuv09640, administrators were able to configure an ASA to allow public-key SSH authentication only by omitting the `aaa authentication ssh console...` configuration and configuring an ssh public key for a user in the local user database. As part of its changes, CSCuv09640 removed this ability. The behavior described above was not the intended behavior, but rather a loophole in the way ssh public key auth was handled. However, this leaves administrators unable to configure an ASA to allow public key auth only. Conditions: SSH authentication with the "ssh publickey..." attribute on a local user. Workaround: None Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 96.2(0) Known Fixed Releases: * 100.13(0.134), 100.15(0.112), 9.4(3.1), 9.5(2.7), 9.6(1.99), 96.1(1.86), 96.2(1.158), 96.2(1.161), 96.2(11.2), 97.1(0.6) Alert Type: Updated * Bug Id: CSCuy72257 Title: Coverity 114177: CHECKED_RETURN in oct_dbg_write_csr Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 96.2(1.147), 97.1(1.6) Known Fixed Releases: * 9.6(1.99), 96.2(0.5), 96.2(11.11), 97.1(0.12), 97.1(1.23), 97.1(2.44), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCuy88971 Title: ASA does not suppress EIGRP candidate default route information Status: Fixed Severity: 3 Moderate Description: Symptom: ASA does not clear the flag "Route is Candidate Default" in EIGRP updates when redistribute default route from static routes or other dynamic routing protocols. EIGRP update packets display : Route is Candidate Default: True External Data Originating RouterID: x.x.x.x(x.x.x.x) Originating A.S.: x Administrative Tag: x External Metric: x Reserved: x External Protocol ID: Static Route (3) External Flags .... ...0 = Route is External: False .... ..1. = Route is Candidate Default: True Conditions: The command "no default-information out" is configured in EIGRP Workaround: NONE Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.0, 9.1, 9.2, 9.3, 9.4, 9.5 Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.114), 9.4(2.109), 9.4(3), 9.6(1.99), 96.1(1.88), 96.2(1.174), 96.2(11.6), 97.1(0.10) Alert Type: Updated * Bug Id: CSCuy68174 Title: Coverity 114166: NULL_RETURNS in ss_send_health_check_request Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 100.11(0.71), 100.13(0.132), 100.15(0.111), 96.1(1.83), 96.2(1.147), 97.1(1.5) Known Fixed Releases: * 100.15(0.112), 9.6(1.99), 96.1(1.86), 96.2(1.158), 96.2(11.2), 97.1(0.6), 97.1(1.8), 97.1(2.4), 97.1(3.2), 97.1(4.2) Alert Type: Updated * Bug Id: CSCuy91788 Title: ASAv: Free memory is reported as negative in an OOM condition Status: Fixed Severity: 3 Moderate Description: Symptom: In a high memory usage condition on the virtual ASA, the free memory can be reported by 'show memory [detail]' as a very high number. For example as 18446744073447407616 bytes Conditions: Virtual ASA, high memory usage. Workaround: Treat such a value as an indication that memory is exhausted, or nearly so. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 96.2(1.155) Known Fixed Releases: * 100.15(0.112), 9.5(2.8), 9.6(1.1), 9.6(1.99), 96.1(1.87), 96.2(1.164), 96.2(11.4), 97.1(0.7), 97.1(1.9), 97.1(2.8) Alert Type: Updated * Bug Id: CSCuy72255 Title: Coverity 114176: CHECKED_RETURN in oct_dbg_read_csr Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 96.2(1.147), 97.1(1.6) Known Fixed Releases: * 9.6(1.99), 96.2(0.5), 96.2(11.11), 97.1(0.12), 97.1(1.23), 97.1(2.44), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCsh75522 Title: Increase Content-length counter from 4 to 8 byte size Status: Fixed Severity: 3 Moderate Description: Symptom: Deep inspect http (i.e. http app-fw or inspect http http-policy-map) reports the http connections as protocol-violation if the request part of "Content- Length: " value n > 268435455. ASA supports content-length value up to 0x0FFFFFFF (i.e. 268435455) only. Conditions: HTTP Requests, Content-Length : headers value should be greater than 268435455 Workaround: No workaround. Further Problem Description: One way to get rid of the issues is to disabled the connection drop or reset for protocol-violation. But this causes inspection won't be done on the http data. Last Modified: 28-JUN-2016 Known Affected Releases: 7.0, 8.0(0.195) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 100.8(40.114), 9.4(2.102), 9.4(3), 9.6(1.99), 96.1(1.80), 96.2(1.134) Alert Type: Updated * Bug Id: CSCuy18640 Title: Potential deadlock between GTP msg process and pdp creation/deletion Status: Fixed Severity: 3 Moderate Description: Symptom: A soft trace may be seen on the console while a deadlock is happening. Conditions: Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(1.178) Known Fixed Releases: * 100.15(0.112), 9.5(1.186), 9.6(0.101), 9.6(0.103), 9.6(1.99), 96.1(1.75), 96.1(1.77), 96.2(1.127), 96.2(1.129) Alert Type: Updated * Bug Id: CSCuy84044 Title: Rewriter error with webworker JS Status: Fixed Severity: 3 Moderate Description: Symptom: ASA webvpn is unable to render a page with webworker javascript element Conditions: The internal page uses webworker javascript Workaround: None Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.136), 100.15(0.113), 100.8(40.117), 9.4(2.109), 9.4(3), 9.6(1.99), 96.1(1.87), 96.2(1.170) Alert Type: Updated * Bug Id: CSCuy59460 Title: SNMP poll is successful for invalid username for v3 Status: Fixed Severity: 3 Moderate Description: Symptom: If SNMP v3 users are configured, and snmp access is enabled from a host or network, then all the configured SNMP v3 users can access the ASA via SNMP from that host or network. This is regardless of whether the user is specified in the snmp-server host command. Conditions: At least one SNMP v3 user is configured and at least one snmp-server host is configured. Workaround: Treat snmp-server user configuration and snmp-server host configuration as independent restrictions. Further Problem Description: SNMP v3 user authentication and privacy credentials are enforced, and snmp-access is restricted to the specified host or network. But the ability to limit SNMP access from a particular host or network for a particular user does not work. Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(3), 9.4(2.101) Known Fixed Releases: * 100.13(0.136), 100.15(0.113), 9.6(1.99), 96.1(1.87), 96.2(1.169), 96.2(11.4), 97.1(0.9), 97.1(1.11), 97.1(2.8), 97.1(3.4) Alert Type: Updated * Bug Id: CSCuy43857 Title: ASA WebVPN: Java Exception with Kronos application Status: Fixed Severity: 3 Moderate Description: Symptom: When a Kronos based application is used with the WebVPN rewriter, parts of the portal which use Java may fail with a 'ClassNotFound' exception or 'NoClassDefFound' error. Conditions: Application accessed using ASA WebVPN rewriter Workaround: None Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(1), 9.4(2) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.11), 9.4(2.106), 9.4(3), 9.5(2.12) Alert Type: Updated * Bug Id: CSCva02121 Title: Traceback Thread Name: ci/console : debug menu ctm 103 crashes the ASA Status: Fixed Severity: 3 Moderate Description: Symptom: debug menu ctm 103 crashes the ASA This one was seen in my LAB while trying to analyse customer's crypto archive. One more thing, customer's crypto archive was from ASA5525 platform and I did a debug on ASA5545 platform. So, debug ctm menu 103, was not performed on the same platform as it was taken from. Conditions: While debugging a crypto archive. debug menu ctm 103 jag-crypto_eng0_arch_1.bin Workaround: None Further Problem Description: The crash was caused by reading the incomplete crypto archive file. Adding checks to make sure the debugger is dumping the archive file in correct size. Last Modified: 29-JUN-2016 Known Affected Releases: 9.4(2.6) Known Fixed Releases: * 100.15(0.124), 9.6(1.99), 96.2(0.62), 97.1(0.22), 97.1(1.71), 97.1(2.47), 97.1(6.6), 97.1(7.12), 97.1(9.12) Alert Type: Updated * Bug Id: CSCux43333 Title: coredump completion reported when failure is due to insuff filesys size Status: Open Severity: * 3 Moderate Description: Symptom: Coredump completed could be displayed on the console even though the coredump failed to write to the flash. Conditions: When the size of the coredump generated exceeds the size of the coredump file system Workaround: Provide a coredump filesystem with sufficient space so that the coredump does not exceed the allocated space Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.1(6.108) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy99280 Title: ENH: ASAv should have a different pre-loaded cert Status: Fixed Severity: 3 Moderate Description: Symptom: ASAv may fail to register to the Smart Software Licensing portal. The ASAv will present the following output: ASAv# show license registration Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Last Retry Start Time: Mar 22 13:26:32 2016 UTC. Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC. Number of Retries: 1. Last License Server response time: Mar 22 13:26:32 2016 UTC. Last License Server response message: Communication message send response error (The Last Server Response Message may also simply state "Communication Failure"). The ASA will be able to access internet resources, but ASA-3-717009 messages will be seen, indicating "No suitable trustpoints found to validate certificate serial number..." Conditions: In the output of show crypto ca certificate, the default certificate has the following information: ASAv# show crypto ca certificate CA Certificate [...] Subject Name: cn=VeriSign Class 3 Secure Server CA - G3 ou=Terms of use at https://www.verisign.com/rpa (c)10 ou=VeriSign Trust Network o=VeriSign\, Inc. c=US [...] Associated Trustpoints: _SmartCallHome_ServerCA The first line under "Subject Name" (indicating the intermediate CA) reads "cn=Symantec Class 3 Secure Server CA - G4" in the correct cert, i.e., it's signed by Symantec rather than Verisign and is G4 rather than G3. Workaround: Pre-9.5.2: Run the following command in enable mode: crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b Starting in 9.5.2: The trustpool will auto-update at 10pm local device time. If this is an initial installation, and DNS lookups and internet connectivity have not been up at that time yet, then the auto-import has not succeeded and will need to be completed manually. ### IMPORTANT NOTE #### After 9.6.1.1 is released - 1. Before upgrading the ASA, please run the following commands on ASA prompt. This removes the old cached certificate from the config. ciscoasa(config)# clear configure crypto ca trustpoint ciscoasa(config)# write memory 2. After the upgrade, the following message will appear during bootup: .Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate... 3. As the old cached certificate is cleared by step 1, the new certificate will be installed in the trustpoint. This can be verified by issuing the following command and observing output. Note: the 'subject name' should match the 'issuer name'. 5545-1# show crypto ca certificates Output: CA Certificate Status: Available Certificate Serial Number: 18dad19e267de8bb4a2158cdcc6b3b4a Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Subject Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Validity Date: start date: 00:00:00 UTC Nov 8 2006 end date: 23:59:59 UTC Jul 16 2036 Associate Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.3(3), 9.4(2), 9.5(2) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 100.7(6.151), 100.8(40.118), 9.1(7.7), 9.2(4.11), 9.4(2.112), 9.4(3), 9.5(2.207) Alert Type: Updated * Bug Id: CSCuz06125 Title: Active and Standby ASA use same MAC addr with only active MAC configured Status: Fixed Severity: 3 Moderate Description: Symptom: Active and Standby ASAs use the same MAC address on their interfaces. Conditions: Only active mac address is configured under that interface. For example: interface GigabitEthernet0/0 mac-address 0000.1000.1111 Workaround: Configure both active and standby MAC addresses when assigning a manual MAC address. For example: interface GigabitEthernet0/0 mac-address 0000.1000.1111 standby 0000.1000.2222 Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.115), 100.8(40.117), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.5(2.7), 9.6(1.1), 9.6(1.99) Alert Type: Updated * Bug Id: CSCuz38703 Title: ASA capture type isakmp saving malformed ISAKMP packets Status: Fixed Severity: 3 Moderate Description: Symptom: Capture type isakmp is producing malformed packets. Conditions: Taking capture type isakmp. Workaround: None Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(1), 9.5(2.6) Known Fixed Releases: * 100.13(0.139), 100.15(0.117), 100.8(40.118), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.16) Alert Type: Updated * Bug Id: CSCuz58142 Title: ASA Access-list missing and losing elements Warning Message enhancement Status: Fixed Severity: 3 Moderate Description: Symptom: After pushing a configuration change tmatch compile continues to run and the number of elements in the ACL will fall and not all elements will be loaded. Conditions: ASA running 9.1.7 with new ACL configuration applied. Workaround: none Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.1(7.7), 9.2(4.11), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.30), 96.2(11.16) Alert Type: Updated * Bug Id: CSCuy74593 Title: ASA AnyConnect IKEv2 scripts help customisations not served after reload Status: Fixed Severity: 3 Moderate Description: Symptom: The AnyConnect clients are not able to download the customised help file and or OnConnect script. The ASA is not listing them as things to download by vpndownloader.exe - can be seen on the ASA with "debug aggregate-auth xml 255" - the following part is missing: scripts_OnConnect_logon.vbs 37294DFFGBB66A4B0FA23DE5F9B7B7F816EF902D ASA a result in the DART bundle anyconnect.txt logs the files are not even mentioned. Conditions: ASA AnyConnect with IPSEC/IKEv2 Customisation configured, e.g. OnConnect script configured. or Help file PDF configured. Webvpn is not enabled: webvpn enabled <--- not there It happens after device reload. Workaround: Using the ASDM - export the files (script/help file), delete it from the ASA, import it again to the ASA. For convenience the files can be exported / imported to / from local ASA flash. OR enable and disable webvpn: webvpn enable outside no enable outside Further Problem Description: If webvpn is not enabled the AnyConnect customisation files are not loaded after ASA reload. As a result they are not pushed to the new clients. It happens only if IKEv2 is enabled and webvpn is disabled. Last Modified: 30-JUN-2016 Known Affected Releases: 9.1(5.16), 9.2(4), 9.2(4.5), 9.4(2.11) Known Fixed Releases: * 100.13(0.141), 100.8(40.120), 9.1(7.7), 9.2(4.13) Alert Type: Updated * Bug Id: CSCuz41033 Title: dynamic crypto map fails if named the same as static crypto map Status: Fixed Severity: 3 Moderate Description: Symptom: Both the static and dynamic crypto maps using the same name . When ACL was configured under dynamic-map. IPSec tunnel was up, the traffic was dropped. Example: Ping fails Show asp drop shows following: "VPN overlap conflict (vpn-overlap-conflict) " Conditions: Both the static and dynamic crypto maps using the same name . When there is ACL configured under dynamic-map Workaround: Change either static crypto map name or dynamic crypto map name Or delete ACL from Dynamic map. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(6.110), 9.1(7.4) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.1(7.7), 9.2(4.11), 9.4(3.1), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.20) Alert Type: Updated * Bug Id: CSCuz81922 Title: SRTS: "type" option missing under "show cluster chassis xlate count" Status: Fixed Severity: 3 Moderate Description: Symptom: Type option missing under "show cluster chassis xlate count" on ASA Conditions: Type option missing under "show cluster chassis xlate count" on ASA Workaround: Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.6(1.70) Known Fixed Releases: * 100.15(0.120), 9.6(1.99), 96.2(0.47), 97.1(0.20), 97.1(1.55), 97.1(1.76), 97.1(10.1), 97.1(2.47), 97.1(2.49), 97.1(6.4) Alert Type: Updated * Bug Id: CSCuz16398 Title: Incorrect modification of NAT divert table. Status: Fixed Severity: 3 Moderate Description: Symptom: NAT divert table gets modified or rather the rule gets pushed to the bottom of the nat divert table list when we add the "no-proxy-arp/route-lookup" keyword to an already existing nat statement. Conditions: Just append an existing nat rule entry with the no-proxy-arp/route-lookup keywords to the nat statement without deleting the entry. Workaround: Delete the nat statement and re-add the entry with the keyword included by specifying the line number. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.2(4.5) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 100.8(40.118), 9.6(1.99), 96.2(0.7), 96.2(11.12), 97.1(0.12), 97.1(1.25), 97.1(1.26), 97.1(1.76) Alert Type: Updated * Bug Id: CSCuz42986 Title: ASA(HA) doesn't send RST packets when sfr module shutdown Status: Fixed Severity: 3 Moderate Description: Symptom: The client does not receive RST packets when sfr modules of both ASA5506s(HA) are shutdown. Conditions: This issue occur on ASA5506/5508/5516 of HA. ASA5506/5508/5516 are set fail-close. Workaround: None Further Problem Description: None Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(2), 9.6(1) Known Fixed Releases: * 100.15(0.119), 9.6(1.99), 96.2(0.38), 97.1(0.18), 97.1(1.49), 97.1(1.76), 97.1(10.1), 97.1(2.47), 97.1(2.49), 97.1(6.2) Alert Type: Updated * Bug Id: CSCuz06153 Title: Incorrect msg shown when configuring MAC addr same as already configured Status: Fixed Severity: 3 Moderate Description: Symptom: Error message "ERROR: active address equals to burn-in address" shown when trying to configure manual MAC address for an interface of the ASA. Conditions: The MAC address is previously configured for the interface already. For example: ciscoasa(config)# show running-config interface gigabitEthernet 0/1 ! interface GigabitEthernet0/1 mac-address 0000.1000.1111 nameif csm security-level 0 no ip address ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# mac-address 0000.1000.1111 standby 0000.1000.2222 ERROR: active address equals to burn-in address Workaround: Remove the mac-address previously configured and re-add it, For example: ciscoasa(config)# show running-config interface gigabitEthernet 0/1 ! interface GigabitEthernet0/1 mac-address 0000.1000.1111 nameif csm security-level 0 no ip address ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# no mac-address 0000.1000.1111 ciscoasa(config-if)# mac-address 0000.1000.1111 standby 0000.1000.2222 Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.13(0.141), 100.15(0.119), 9.6(1.99), 96.2(0.36), 97.1(0.18), 97.1(1.48), 97.1(1.76), 97.1(10.1), 97.1(2.47), 97.1(2.49) Alert Type: Updated * Bug Id: CSCuz66269 Title: SCP Client not allow to enter password with "no ssh stricthostkeycheck" Status: Fixed Severity: 3 Moderate Description: Symptom: When copying a file to or from an ASA in either single or multi-context mode using Secure Copy (SCP), the CLI terminates prematurely with "permission denied" when "no sshhostkeycheck" is configured in single mode or in admin context under multi-context mode. If the user is connected to the ASA through a serial console, a "Password:" prompt is likely to be seen before the CLI ends. If the user is connected to the ASA through a ssh/telnet session, the "Password:" prompt may not be presented as it may be pending before the CLI ends. Conditions: 1) ASA running in single or multi-context mode from version 9.1(5) upwards. 2) Copying a file to or from the ASA using authenticated SCP with "no ssh stricthostkeycheck" configured in single mode or in admin context under multi-context mode. Workaround: When prompted for the user name, add the password after ":" character as the separator. For example: ASA/pri/act(config)# copy scp://192.168.1.1 disk0:asa916-140-k8.bin Address or name of remote host [10.252.11.19 ]? Source username []? username:password Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.0(4), 9.1(5) Known Fixed Releases: * 100.13(0.141), 100.15(0.119), 100.8(40.120), 9.6(1.99), 96.2(0.36), 97.1(0.18), 97.1(1.47), 97.1(1.76), 97.1(10.1), 97.1(2.47) Alert Type: Updated * Bug Id: CSCuy94591 Title: ASA inconsistent logs about Connection limit exceeded Status: Fixed Severity: 3 Moderate Description: Symptom: There are multiple issues with inconsistent syslog messages related to Connection limits that were exceeded. Deviation 1 There is '/0' shown in the syslog message: Mar 20 2016 23:41:46: %ASA-3-201011: Connection limit exceeded 13/0 for input packet from 192.168.75.15/49592 to 192.168.76.15/80 on interface INSIDE Deviation 2 Sometimes there is negative value shown: Mar 20 2016 19:49:40: %ASA-3-201011: Connection limit exceeded -3/5 for input packet from 192.168.75.15/22081 to 192.168.76.16/80 on interface INSIDE ASA5525-3# show service-policy set connection detail Global policy: Service-policy: global_policy Class-map: MPF_CMAP Set connection policy: conn-max 5 per-client-max 5 per-client-embryonic-max 3 current conns -3, drop 824 <-- Deviation 3 Sometimes there are logs shown the connection limit is exceeded while it is not (false positives): ASA5525-3(config-pmap-c)# show log | i limit Mar 20 2016 19:58:54: %ASA-6-201012: Per-client embryonic connection limit exceeded 3/3 for input packet from 192.168.75.15/22229 to 54.225.81.205/80 on interface INSIDE Mar 20 2016 19:58:54: %ASA-3-201011: Connection limit exceeded 29/50 for input packet from 192.168.75.15/22229 to 192.168.76.15/80 on interface INSIDE Mar 20 2016 19:58:58: %ASA-3-201011: Connection limit exceeded 50/50 for output packet from 192.168.75.15/61527 to 192.168.76.15/80 on interface OUTSIDE Mar 20 2016 19:58:59: %ASA-3-201011: Connection limit exceeded 48/50 for input packet from 192.168.75.15/22259 to 192.168.76.15/80 on interface INSIDE Deviation 4 'show run all policy-map' doesn't show the configured connection limits: ASA5525-3# show run policy-map ... class MPF_CMAP set connection per-client-max 20 per-client-embryonic-max 3 <- Here is a 14-min Webex recording where you can see my lab tests and the above issues (you can skip the part between 4:45 - 10:00 min so essentially it is a 9-min recording): https://cisco.webex.com/ciscosales/lsr.php?RCID=bcbc75b3872941dc93a1685836da6479 Conditions: - Workaround: - Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(2.5) Known Fixed Releases: * 100.15(0.118), 9.4(2.195), 9.6(1.99), 96.2(0.32), 96.2(11.16), 97.1(0.17), 97.1(1.42), 97.1(1.76), 97.1(10.1), 97.1(2.44) Alert Type: Updated * Bug Id: CSCuz52859 Title: SNMPv3 noauth traps/poll not working when going from single to multimode Status: Fixed Severity: 3 Moderate Description: Symptom: SNMPv3 noauth traps/poll not working when going from single to multimode Conditions: Save SNMPv3 NOAUTH configs in single mode, then switch to multimode Workaround: Remove and readd the noauth configs for user Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 100.8(40.117) Known Fixed Releases: * 100.13(0.140), 100.15(0.117), 100.8(40.119), 9.4(3.1), 9.6(1.99), 96.2(0.19), 96.2(11.15), 97.1(0.15), 97.1(1.37), 97.1(1.76) Alert Type: Updated * Bug Id: CSCuz41308 Title: zone keyword seen in show route interface Status: Fixed Severity: 3 Moderate Description: Symptom: zone keyword seen in show route interface Conditions: zone keyword seen in "show route interface" which is not expected. Workaround: none Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 96.2(0.6) Known Fixed Releases: * 9.6(1.99), 96.2(0.16), 96.2(11.13), 97.1(0.15), 97.1(1.34), 97.1(1.76), 97.1(10.1), 97.1(2.44), 97.1(2.49), 97.1(3.7) Alert Type: Updated * Bug Id: CSCuy67333 Title: SIP call transfer fail due to differences b/w fixing CallId and Refer-To Status: Fixed Severity: 3 Moderate Description: Symptom: SIP call transfers fail through ASA. Conditions: 1. SIP call transfers are happening through an ASA configured to inspect SIP. 2. Call-Id of the referred call contains an IP address for which ASA has a dynamic PAT configured. 3. Call-Id of referred call doesn't contain port number. 4. Refer-To field of referring call contains the call-id of referred call. Workaround: As of now, only following workarounds are known: 1. Configure static NAT instead of PAT for SIP endpoints. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(5.4), 9.3(3.6), 9.5(2.2) Known Fixed Releases: * 100.13(0.140), 100.15(0.118), 100.8(40.119), 9.1(7.7), 9.2(4.11), 9.5(2.12), 9.6(1.5), 9.6(1.99), 96.2(0.30), 96.2(11.16) Alert Type: Updated * Bug Id: CSCur42776 Title: Mac version smart-tunnel uses SSLv3 which is a vulnerability Status: Fixed Severity: 3 Moderate Description: * Symptom: The Clientless Smart Tunnel Component for MacOSX of Cisco ASA Software includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs: CVE-2014-3566 Conditions: Exposure is not configuration dependent. Workaround: Not available. Further Problem Description: This bug is only for the client-side, the Clientless Smart Tunnel Component for MacOSX. For SSL server-side, please check CSCur23709. SSLv3 support in the Clientless Smart Tunnel Component for MacOSX will be removed. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5 https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 01-JUL-2016 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1), 9.3(2), 9.4(1), 99.1 Known Fixed Releases: 100.11(0.54), 100.11(0.55), 100.12(0.111), 100.12(0.94), 100.12(23.4), 100.12(24.2), 100.13(0.10), 100.13(0.21), 100.13(11.17), 100.13(12.36) Alert Type: Updated * Bug Id: CSCva30995 Title: ASA marking Radius server as Failed if it silently discards Acct Request Status: Open Severity: 3 Moderate Description: * Symptom: Per RFC2866, If the RADIUS accounting server is unable to successfully record the accounting packet it MUST NOT send an Accounting-Response acknowledgment to the client. When ASA doesn't send the Framed IP address in Accounting request packet, Radius server silently discards these messages and eventually ASA marks the server as failed. Conditions: Using Remote Access VPN setup on ASA with Radius accounting configured Workaround: Further Problem Description: None Last Modified: 01-JUL-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy15798 Title: Add support for IPv6 assigned address field in Radius Accounting packet Status: Fixed Severity: 3 Moderate Description: Symptom: ASA does not send Framed-IPv6-Address information in RADIUS accounting packet Conditions: Anyconnect gets assigned IPv6 address from pool and RADIUS accounting is configured. Workaround: None Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.141), 100.15(0.119), 9.6(1.99), 96.2(0.47), 97.1(0.20), 97.1(1.55), 97.1(1.76), 97.1(10.1), 97.1(2.47), 97.1(2.49) Alert Type: Updated * Bug Id: CSCva24799 Title: TLS Proxy feature missing client trust-point command Status: Fixed Severity: 3 Moderate Description: Symptom: TLS Proxy feature does not work since the client trust-point command is missing. Conditions: TLS proxy configured Workaround: None Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.4(3) Known Fixed Releases: * 96.2(0.70), 97.1(0.23), 97.1(1.78) Alert Type: New Bug Id: CSCuy42087 Title: ASA: Not able to remove ACE with "log default" keyword Status: Fixed Severity: 3 Moderate Description: Symptom: ASA: Unable to remove ACE with "log default" keyword enabled Conditions: "log default" should be added at the end of the ACE Workaround: Do not use the "log default" keyword at the end of the ACE. In case of CSM , use the ACL Parameter as "traffic" rather than "speed" Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 100.13(0.129) Known Fixed Releases: 100.13(0.135), 100.15(0.112), 9.4(2.107), 9.4(3), 9.6(1.99), 96.1(1.86), 96.2(1.161), 96.2(11.2), 97.1(0.6), 97.1(1.8) Alert Type: Updated * Bug Id: CSCva05513 Title: ASA: SLA Monitor not working with floating timeout configured to nonzero Status: Fixed Severity: 3 Moderate Description: Symptom: SLA Monitor pre-emption does not work with floating timeout configured to nonzero value on the ASA configuration Conditions: timeout floating-conn value should be non-zero Workaround: Reconfigure the floating timeout to 0:00:00 Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.13(0.143), 96.2(0.69), 97.1(0.23), 97.1(1.76), 97.1(2.49), 97.1(6.8), 97.1(9.14) Alert Type: Updated * Bug Id: CSCva12520 Title: snmpwalk not working for some NAT OIDs Status: Fixed Severity: 3 Moderate Description: Symptom: When snmpwalk is invoked on the OIDs - cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount it is failing. Conditions: Workaround: Further Problem Description: Last Modified: 02-JUL-2016 Known Affected Releases: 100.11(0.71) Known Fixed Releases: * 100.13(0.143), 96.2(0.70), 97.1(0.23), 97.1(1.78) Alert Type: Updated * Bug Id: CSCuo05238 Title: 'show activation-key' command does not display the flash key correctly Status: Fixed Severity: 4 Minor Description: Symptom: Contents of the flash permanent activation key is not displayed correctly in the output of the 'show activation-key' command. Conditions: An ASA with a running permanent activation key that is different from the flash permanent activation key. Workaround: None. When the ASA is reloaded, and the flash permanent activation key becomes the running permanent activation key, its contents are displayed correctly. Further Problem Description: Last Modified: 17-JUN-2016 Known Affected Releases: * 100.8(38.131), 9.1(7) Known Fixed Releases: 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuh99564 Title: Password change page can be displayed without authentication Status: Fixed Severity: 4 Minor Description: Symptom: Appending ?reason=3 to the WebVPN portal https://IP- Address/ CSCOE /logon.html allows someone to display a password change page with no authentication or valid session. Conditions: WebVPN is enabled. Workaround: None. Further Problem Description: This is a cosmetic issue only -- it is not possible to change anyone's password using this page without a valid and authenticated WebVPN session. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 30-JUN-2016 Known Affected Releases: 8.1(2.7), 9.1(1) Known Fixed Releases: * 100.13(0.142), 100.15(0.123), 100.8(40.121), 9.1(7.7), 9.5(2.12), 9.6(1.99), 96.2(0.57), 97.1(0.21), 97.1(1.62), 97.1(2.47) Alert Type: Updated * Bug Id: CSCva21624 Title: BGP - Adding IPV6 network with prefix adds the addr in the IPV4 network Status: * Other Severity: * 4 Minor Description: Symptom: IPV6 network address added in the IPV4 network address Conditions: In the BGP routing, adding an ipv6 network address with prefix name. Workaround: Have to add IPV6 network address without prefix name. Further Problem Description: Last Modified: 30-JUN-2016 Known Affected Releases: 9.6(2.240) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy25445 Title: Master shows slave interfaces as "up" when slave rejoining Status: Fixed Severity: 4 Minor Description: Symptom: If a slave unit in a cluster reboots, while it is rejoining, the master will show its interfaces as "up" instead of "init" for a short period of time. The issue does not have functionality impacts. Conditions: Cisco ASA running release 9.0 and later. Workaround: None. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.1(6.184) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.4(2.101), 9.4(3), 9.6(1.99), 96.1(1.77) Alert Type: Updated * Bug Id: CSCuz11171 Title: 'show service-policy inspect gtp pdp-context imsi' does not work Status: Fixed Severity: 4 Minor Description: Symptom: The 'show service-policy inspect gtp pdp-context imsi' command does not display any pdp-contexts. Conditions: Workaround: Filter imsi by issuing the command 'show service-policy inspect gtp pdp-context detail | inc IMSI ', although this would only give a partial output. Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.15(0.118), 9.6(1.99), 96.2(0.26), 96.2(11.16), 97.1(0.16), 97.1(1.39), 97.1(1.76), 97.1(10.1), 97.1(2.44), 97.1(2.49) Alert Type: Updated * Bug Id: CSCuq93539 Title: DOC: Command reference dns-server example set three IPv4 addresses Status: Fixed Severity: 4 Minor Description: * Symptom: We can only allow two - primary and secondary - IPv4 addresses in dns-server command. But ASA Command Reference Example sets three adresses. ------- http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/d3.html#pgfId-1998435 Examples The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup. hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# dns-server value 10.10.10.15 10.10.10.30 10.10.10.45 ------- In fact, we cannot set three IPv4 address. ------- hostname(config-group-policy)# dns-server value 10.10.10.15 10.10.10.30 10.10.10.45 ERROR: Too many IPv4 servers specified ------- Conditions: no Workaround: no Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.0 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur30827 Title: Placeholder to commit CLNS compiled files Status: Fixed Severity: 6 Enhancement Description: Symptom: Placeholder to commit CLNS compiled files Conditions: Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.0 Known Fixed Releases: * 100.15(11.1), 100.16(1.8), 100.16(12.1), 9.6(0.99), 9.6(1), 9.6(1.99), 96.1(1.29), 96.1(1.57), 96.2(0.1), 96.2(1.107) Alert Type: Updated * Bug Id: CSCtg38746 Title: Knob to allow h.225 traffic before h.225 setup Status: Open Severity: 6 Enhancement Description: Symptom: Phones fail when sending h.225 traffic before h.225 setup message Conditions: Phone sending h.225 before h.225 setup h.323 inspection enabled on ASA Syslog %ASA-4-405104: H225 message INFORMATION received from 10.122.42.221/496 to 10.11.185.8/47110 before SETUP will be trggered. Workaround: Disable inspection and open all neccessary ports to allow traffic. Last Modified: 28-JUN-2016 Known Affected Releases: 8.2 Known Fixed Releases: * 100.16(1.49), 100.16(14.1), 100.16(15.7), 9.6(0.99), 9.6(1), 9.6(1.99), 96.1(1.5), 96.1(1.57), 96.1(6.1), 96.2(0.1) Alert Type: Updated * Bug Id: CSCtc26917 Title: ENH: Tracking Packet Count on Per-Connection Basis Through Netflow Status: Fixed Severity: 6 Enhancement Description: Symptom: This is an enhancement request to add support for per-connection packet count tracking and export through Netflow on Adaptive Security Appliance (ASA). Conditions: Workaround: Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 8.2(1) Known Fixed Releases: * 100.15(18.1), 100.16(1.12), 9.6(1.99), 96.2(0.1) Alert Type: Updated * Bug Id: CSCuv83951 Title: ASA webvpn: Citrix SSO for Storefront 2.6 does not work Status: Fixed Severity: 6 Enhancement Description: Symptom: SSO for Citrix Storefront 2.6 does not work. This is an enhancement request to support the same. Conditions: Using SSO for Storefront version 2.6 Workaround: none Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.16(1.16), 100.16(14.1), 9.6(0.99), 9.6(1), 9.6(1.99), 96.1(1.54), 96.1(1.57), 96.2(0.1) Alert Type: Updated * Bug Id: CSCsf31461 Title: Capture type asp-drop needs to be filterable by ACL Status: Fixed Severity: 6 Enhancement Description: Symptom: Conditions: When using a capture type asp-drop we need to be able to use an ACL to limit the scope of the capture. Currently capture type asp-drop does not let someone use an ACL to identify particular flows that are being dropped. For instance, if I know a flow is being dropped because of packet inspection but I need to capture the actual packet that fails inspection, I have to know exactly what asp type to capture. If there is a large number of drops, it makes it difficult to find the specific flow. Further Problem Details: This is needed to be able to pick out a single flow that is failling with the capture type asp-drop. This will allow users to pinpoint the failing packets. In particular this is helpfull if the "show asp-drop" statistics are incrementing very quickly making it difficult to narrow down the exact drop reason. Example: This is how an asp-drop capture is currently configured. capture aspcap type asp-drop all This is what could be configured if we tied the capture to an ACL. access-list aspcap permit ip host 10.1.1.1 host 172.16.2.2 access-list aspcap permit ip host 172.16.2.2 host 10.1.1.1 capture aspcap type asp-drop all access-list aspcap Workaround: Use capture of type "asp-drop all" and use an ACL in the show capture command to selectively show packets of interest. Further Problem Description: Last Modified: 28-JUN-2016 Known Affected Releases: 100.16(1.1), 7.0, 7.1, 7.2, 8.4(1) Known Fixed Releases: * 100.16(1.32), 100.16(14.1), 9.6(1.99), 96.2(0.1), 96.2(1.109), 96.2(1.116), 96.2(1.138), 96.2(11.1), 97.1(0.3), 97.1(1.3) Alert Type: Updated * Bug Id: CSCuy36536 Title: Transparent Firewall: Need ability to switch 802.2 LLC with DSAP 0xe8 Status: Fixed Severity: 6 Enhancement Description: Symptom: Packets with 802.2 LLC header with most LSAP are not able to traverse firewall through transparent mode. Conditions: Transparent Firewall Mode. Generic 802.2 LLC packet Workaround: None Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: EVERCLEAR Known Fixed Releases: * 9.6(1.99), 96.2(0.1), 96.2(0.12), 96.2(1.145), 96.2(11.1), 96.2(11.13), 97.1(0.14), 97.1(0.7), 97.1(1.32), 97.1(1.76) Alert Type: Updated * Bug Id: CSCuz19421 Title: ENH: ASA - Ability to suppress NAT warning console messages during boot Status: Fixed Severity: 6 Enhancement Description: Symptom: Enhancement request to add the ability to suppress NAT warning messages which are shown on the console during boot up. Conditions: Rebooting the ASA which displays a lot of warning messages could cause delays before the ASA is completely up. Workaround: none Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.119), 9.6(1.99), 96.2(0.43), 97.1(0.19), 97.1(1.52), 97.1(1.76), 97.1(10.1), 97.1(2.47), 97.1(2.49), 97.1(6.2) Alert Type: Updated * Bug Id: CSCua37902 Title: Some syslogs lost when using TCP based syslogging Status: Open Severity: 6 Enhancement Description: Symptom: If TCP syslogging is configured on the ASA, not all messages are sent to the syslog server if there is sufficient load as well as some connectivity issues between the ASA and the Syslog Server. Conditions: The issue is seen only when using TCP based syslogging and a high rate of syslogs. Workaround: Use UDP syslogging instead of TCP syslogging. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 8.4, 8.4(3), 8.4(3.130), 9.1(5) Known Fixed Releases: * 100.16(1.75), 100.16(1.81), 100.16(14.1), 9.1(2.220), 9.1(6.170), 9.6(1.99), 96.1(6.1), 96.1(6.7), 96.2(0.1), 96.2(1.178) Alert Type: Updated * Bug Id: CSCti30937 Title: Add support for "sha256RSA" as the signature algorithm for certificates Status: Fixed Severity: 6 Enhancement Description: * Symptom: While importing the certificate on ASA from ASDM the following error is seen "Failed to parse or verify imported certificate" Conditions: The certificate is using "sha256RSA" as the signature algorithm Workaround: Regenerate the certificate with sha1 algorithm Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 8.2(0), 8.3(2) Known Fixed Releases: 100.7(0.65), 100.7(6.12), 100.7(8.1), 8.2(3.150), 8.2(3.240), 8.2(3.7), 8.2(4.1), 8.2(5), 8.4(0.99), 8.4(1) Alert Type: Updated * Bug Id: CSCuz90525 Title: ENCH: Chrome Extension for Smart Tunnel provisioning Status: Open Severity: 6 Enhancement Description: Symptom: Chrome has dropped NPAPI support, hence Smart tunnel provision should be done with Chrome Extension, this enhancement should develop the chrome extension. this is a basic chrome extension, which launches Terminal process in OSx Conditions: Use Chrome Browser Workaround: FireFox Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.7(1) Known Fixed Releases: * 97.1(1.76), 97.1(10.1), 97.1(2.47), 97.1(2.49), 97.1(7.15), 97.1(7.6) Alert Type: Updated * Bug Id: CSCva00799 Title: ASA interfaces are still up during reload causing traffic blackholing Status: Open Severity: 6 Enhancement Description: * Symptom: Both ASAs in MASTER state Conditions: MASTER ASA running software module reloaded using the command "reload" Workaround: First shut down the software module Further Problem Description: Last Modified: 01-JUL-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz19763 Title: FTD inline set need delay to avoid port flap with link state propagation Status: Fixed Severity: 6 Enhancement Description: Symptom: With Inline set configured in FTD, if the neighboring device takes a while to bring the link up after the FTD has brought it up, the FTD can bring the link down before that and that can lead to a forever loop of link coming up and going down. this is an enhancement request being filed to introduce a configure delay timer before deciding a link is down especially with link state propagation enabled. Conditions: None. Workaround: NA Further Problem Description: Last Modified: 24-JUN-2016 Known Affected Releases: DULCE_VIDA Known Fixed Releases: * 7.3(0)TSH(0.99), 96.2(11.12), 97.1(0.12), 97.1(1.25), 97.1(2.44), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCuz90338 Title: Per-tunnel QoS does not work with IKEv2 Status: Open Severity: * 6 Enhancement Description: Symptom: With per-tunnel QoS, the packet classification does not work Conditions: - IKEv2 is used - "match tunnel-group" statement is used in class-map Workaround: Use IKEv1 Further Problem Description: Last Modified: 20-JUN-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux97494 Title: ENH: ASA inventory should display SFP transceivers details Status: Open Severity: 6 Enhancement Description: * Symptom: ASA should display in show inventory list of SFP transceivers installed in Cisco ASA interface card (ASA-IC-6GE-SFP-A/B/C) ASA should display transceiver details with the command: sh interface GigabitEthernet1/x transceiver similarly to output displayed by the switch Switch output example: switch# sh interface ethernet 1/X transceiver Ethernet1/X transceiver is present type is 1000base-SX name is XXX part number is XXX revision is serial number is XXX nominal bitrate is 1300 MBit/sec cisco part number is xx cisco product id is cisco vendor id is Vxx Conditions: NONE Workaround: NONE Further Problem Description: Last Modified: 16-JUN-2016 Known Affected Releases: 9.0, 9.1, 9.2, 9.3, 9.4, 9.5 Known Fixed Releases: Alert Type: New Bug Id: CSCva06613 Title: CSM showing syslogs in reverse direction Status: Open Severity: 6 Enhancement Description: Symptom: CSM showing syslogs in reverse direction Conditions: CSM running 4.8 SP1 Workaround: Further Problem Description: Last Modified: 14-JUN-2016 Known Affected Releases: 9.1(6.199) Known Fixed Releases: Alert Type: New Bug Id: CSCva03270 Title: Create a Chrome directory under Xpix/unicorn/cte/extension Status: Open Severity: 6 Enhancement Description: Symptom: extension has no directory for chrome extension related files Conditions: NA Workaround: NA Further Problem Description: Last Modified: 10-JUN-2016 Known Affected Releases: 9.7(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz24909 Title: * ENH: Add optional restart timer on ASA for OSPF (Cisco NSF) Status: Open Severity: 6 Enhancement Description: Symptom: Manually configure the restart timer via NSF for OSPF, but unable to do so if using "nsf cisco" Conditions: Using "nsf cisco" for OSPF Workaround: use "nsf ietf" Further Problem Description: Last Modified: 02-JUN-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: Alert Type: New Bug Id: CSCva00432 Title: Add logging discriminator function to ASA Status: Open Severity: 6 Enhancement Description: Symptom: Request to add the "logging discriminator" feature from IOS to the ASA, in order to allow specific syslogs to be sent to different hosts Conditions: NA Workaround: NA Further Problem Description: Last Modified: 09-JUN-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: Find additional information in Bug Search index.   2015 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks