release notes for the cisco asa series, 9.5(x)
TRANSCRIPT
Release Notes for the Cisco ASA Series, 9.5(x)
First Published: 2015-08-31
Last Modified: 2017-04-17
Release Notes for the Cisco ASA Series, 9.5(x)This document contains release information for Cisco ASA software Version 9.5(x).
Important Notes• Potential Traffic Outage (9.5(3) through 9.5(3.6))—Due to bug CSCvd78303, the ASAmay stop passingtraffic after 213 days of uptime. The effect on each network will be different, but it could range froman issue of limited connectivity to something more extensive like an outage. You must upgrade to a newversion without this bug, when available. In the meantime, you can reboot the ASA to gain another 213days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versionsand more information.
• E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s,pop3s, smtps) and subcommands are no longer supported.
• CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image,show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscanimage) are no longer supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscanimage migrates to hostscan image.
• Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands(override-account-disable, authentication crack) are no longer supported.
• The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causesdifferences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational NameValue (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificateswith an OU field name of 60 characters. Because of this difference, certificates that can be imported inASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASArunning version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System RequirementsThis section lists the system requirements to run this release.
Release Notes for the Cisco ASA Series, 9.5(x) 1
ASA and ASDM CompatibilityFor information about ASA/ASDM software and hardware requirements and compatibility, including modulecompatibility, see Cisco ASA Compatibility.
VPN CompatibilityFor VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New FeaturesThis section lists new features for each release.
New, changed, and deprecated syslog messages are listed in the syslog message guide.Note
New Features in ASA 9.5(3.9)/ASDM 7.6(2)
Released: April 11, 2017
Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.Note
DescriptionFeature
Remote Access Features
Users can select cipher modes when doing SSH encryption management and can configureHMAC and encryption for varying key exchange algorithms. You might want to change theciphers to be more or less strict, depending on your application. Note that the performance ofsecure copy depends partly on the encryption cipher used. By default, the ASA negotiatesone of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbcaes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, thenthe performance is much slower than a more efficient algorithm such as aes128-cbc. To changethe proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen: Configuration > Device Management > Advanced >SSH Ciphers
Also available in 9.1(7) and 9.4(3).
Configurable SSH encryption andHMAC algorithm.
Release Notes for the Cisco ASA Series, 9.5(x)2
Release Notes for the Cisco ASA Series, 9.5(x)ASA and ASDM Compatibility
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
Released: January 28, 2016
This release supports only the ASAv.Note
DescriptionFeature
Platform Features
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper VHypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper VHypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3,which supports four vCPUs, 14 GB, and four interfaces.
Microsoft Azure support on theASAv10
Licensing Features
For highly secure environments where communicationwith the Cisco Smart SoftwareManageris not allowed, you can request a permanent license for the ASAv.
Not all accounts are approved for permanent license reservation.Make sure you haveapproval from Cisco for this feature before you attempt to configure it.
Note
We introduced the following commands: license smart reservation, license smart reservationcancel, license smart reservation install, license smart reservation request universal,license smart reservation return
No ASDM support.
Permanent License Reservation forthe ASAv
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supportspermanent license reservation and also supports setting the Strong Encryption (3DES/AES)license entitlement according to the permission set in your license account.
If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensingregistration state. You need to re-register with the license smart register idtokenid_token force commandConfiguration > Device Management > Licensing >Smart Licensing page with the Force registration option; obtain the ID token fromthe Smart Software Manager.
Note
We introduced the following commands: show license status, show license summary, showlicense udi, show license usage
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, showlicense pool, show license registration
We did not change any screens.
Smart Agent Upgrade to v1.6
Release Notes for the Cisco ASA Series, 9.5(x) 3
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
This release supports only the ASA on the Firepower 9300.Note
DescriptionFeature
Platform Features
With FXOS 1.1.3, you can now configure VPN features.VPN support for the ASA on theFirepower 9300
Firewall Features
You can identify flows that should be off-loaded from the ASA and switched directly in theNIC (on the Firepower 9300). This provides improved performance for large data flows indata centers.
Also requires FXOS 1.1.3.
We added or modified the following commands: clear flow-offload, flow-offload enable,set-connection advanced-options flow-offload, show conn detail, show flow-offload.
We added or modified the following screens: Configuration > Firewall > Advanced >Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rulesunder Configuration > Firewall > Service Policy Rules.
Flow off-load for the ASA on theFirepower 9300
High Availability Features
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering.You can include up to 6 modules in up to 6 chassis.
We did not modify any commands.
We did not modify any screens.
Inter-chassis clustering for 6modules, and inter-site clustering forthe ASA on the Firepower 9300
Licensing Features
For regular Cisco Smart SoftwareManager users, the Strong Encryption license is automaticallyenabled for qualified customers when you apply the registration token on the Firepower 9300.
If you are using the Smart Software Manager satellite deployment, to use ASDMand other strong encryption features, after you deploy the ASA you must enable theStrong Encryption (3DES) license using the ASA CLI.
Note
This feature requires FXOS 1.1.3.
We removed the following command for non-satellite configurations: featurestrong-encryption
We modified the following screen: Configuration > Device Management > Licensing >Smart License
Strong Encryption (3DES) licenseautomatically applied for the ASAon the Firepower 9300
Release Notes for the Cisco ASA Series, 9.5(x)4
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2.1)/ASDM 7.5(2)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
DescriptionFeature
Platform Features
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It islow-power, fan-less, with Gigabit Ethernet and a dedicated management port. This modelcomes with the ASA Firepower module pre-installed. Special features for this model includea customized transparent mode default configuration, as well as a hardware bypass functionto allow traffic to continue flowing through the appliance when there is a loss of power.
We introduced the following command: hardware-bypass, hardware-bypass manual,hardware-bypass boot-delay
We modified the following screen: Configuration > Device Management > HardwareBypass
Also in Version 9.4(1.225).
Cisco ISA 3000 Support
Firewall Features
DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages.You can also now filter on DCERPC message universally unique identifiers (UUIDs) to resetor log particular message types. There is a new DCERPC inspection class map for UUIDfiltering.
We introduced the following command:match [not] uuid. We modified the followingcommand: class-map type inspect.
We added the following screen: Configuration > Firewall > Objects > Class Maps >DCERPC.
We modified the following screen:Configuration > Firewall > Objects > Inspect Maps> DCERPC.
DCERPC inspection improvementsand UUID filtering
You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.
We introduced or modified the following commands: class-map type inspect diameter,diameter, inspect diameter, match application-id, match avp, match command-code,policy-map type inspect diameter, show conn detail, show diameter, show service-policyinspect diameter, unsupported
We added or modified the following screens:
Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP
Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > ProtocolInspection tab
Diameter inspection
Release Notes for the Cisco ASA Series, 9.5(x) 5
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2)/ASDM 7.5(2)
DescriptionFeature
You can now use the SCTP protocol and port specifications in service objects, access controllists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrierlicense.
We introduced the following commands: access-list extended , clear conn protocol sctp,inspect sctp,match ppid, nat static (object), policy-map type inspect sctp, service-object,service, set connection advanced-options sctp-state-bypass, show conn protocol sctp,show local-host connection sctp, show service-policy inspect sctp, timeout sctp
We added or modified the following screens:
Configuration > Firewall > Access Rules add/edit dialogs
Configuration > Firewall > Advanced > ACL Manager add/edit dialogs
Configuration > Firewall > Advanced > Global Timeouts
Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NATSettings dialog box
Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs
Configuration > Firewall > Objects > Inspect Maps > SCTP
Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > ProtocolInspection and Connection Settings tabs
SCTP inspection and access control
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, ratherthan have NAT allocate one port translation at a time (see RFC 6888). This feature is nowsupported in failover and ASA cluster deployments.
We modified the following command: show local-host
We did not modify any screens.
Carrier Grade NAT enhancementsnow supported in failover and ASAclustering
The captive portal feature is required to enable active authentication using identity policiesstarting with ASA FirePOWER 6.0.
We introduced or modified the following commands: captive-portal, clear configurecaptive-portal, show running-config captive-portal.
Captive portal for activeauthentication onASAFirePOWER6.0.
High Availability Features
Release Notes for the Cisco ASA Series, 9.5(x)6
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2)/ASDM 7.5(2)
DescriptionFeature
Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity fromits location into two different numbering spaces, making server migration transparent to clients.The ASA can inspect LISP traffic for location changes and then use this information forseamless clustering operation; the ASA cluster members inspect LISP traffic passing betweenthe first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and thenchange the flow owner to be at the new site.
We introduced or modified the following commands: allowed-eid, clear cluster infoflow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug clusterflow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-maptype inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster infoflow-mobility counters, show conn, show lisp eid, show service-policy, validate-key
We introduced or modified the following screens:
Configuration >Device Management >High Availability and Scalability >ASA Cluster> Cluster Configuration
Configuration > Firewall > Objects > Inspect Maps > LISP
Configuration > Firewall > Service Policy Rules > Protocol Inspection
Configuration > Firewall > Service Policy Rules > Cluster
Monitoring > Routing > LISP-EID Table
LISP Inspection for Inter-Site FlowMobility
The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by defaultin the base license.
We did not modify any commands.
We did not modify any screens.
ASA 5516-X support for clustering
By default, all levels of clustering events are included in the trace buffer, including many lowlevel events. To limit the trace to higher level events, you can set the minimum trace level forthe cluster.
We introduced the following command: trace-level
We did not modify any screens.
Configurable level for clusteringtrace entries
Interface Features
You can now configure one or more secondary VLANs for a subinterface. When the ASAreceives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.
We introduced or modified the following commands: vlan secondary, show vlan mapping
We modified the following screens: Configuration > Device Setup > Interface Settings >Interfaces
Configuration >Device Setup > Interface Settings > Interfaces >Add Interface >General
Support to map Secondary VLANsto a Primary VLAN
Routing Features
Release Notes for the Cisco ASA Series, 9.5(x) 7
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2)/ASDM 7.5(2)
DescriptionFeature
The ASA currently supports configuring static RPs to route multicast traffic for differentgroups. For large complex networks where multiple RPs could exist, the ASA now supportsdynamic RP selection using PIM BSR to support mobility of RPs.
We introduced the following commands: clear pim group-map, debug pim bsr, pimbsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers
We introduced the following screen: Configuration > Device Setup > Routing >Multicast> PIM > Bootstrap Router
PIMBootstrapRouter (BSR) supportfor multicast routing
Remote Access Features
You can now use the following remote access features in multiple context mode:
• AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
• Centralized AnyConnect image configuration
• AnyConnect image upgrade
• Context Resource Management for AnyConnect connections
The AnyConnect Apex license is required for multiple context mode; you cannot usethe default or legacy license.
Note
We introduced the following commands: limit-resource vpn anyconnect, limit-resourcevpn burst anyconnect
We modified the following screen: Configuration > Context Management > ResourceClass > Add Resource Class
Support for Remote Access VPN inmultiple context mode
The ASA acts as a SAML Service Provider.Clientless SSL VPN offers SAML2.0-based Single Sign-On (SSO)functionality
You can debug logs by filtering, based on the filter condition sets, and can then better analyzethem.
We introduced the following additions to the debug command:
• [no] debug webvpn condition user <user name>
• [no] debug webvpn condition group <group name>
• [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]
• [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]
• debug webvpn condition reset
• show debug webvpn condition
• show webvpn debug-condition
Clientless SSL VPN conditionaldebugging
Release Notes for the Cisco ASA Series, 9.5(x)8
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2)/ASDM 7.5(2)
DescriptionFeature
The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPNcache provides better stability. If you want to enable the cache, you must manually enable it.
webvpncache
no disable
We modified the following command: cache
We modified the following screen: Configuration > Remote Access VPN > Clientless SSLVPN Access > Advanced > Content Cache
Clientless SSL VPN cache disabledby default
Licensing Features
Smart licensing uses the Smart Call Home infrastructure. When the ASA first configuresSmart Call Home anonymous reporting in the background, it automatically creates a trustpointcontaining the certificate of the CA that issued the Smart Call Home server certificate. TheASA now supports validation of the certificate if the issuing hierarchy of the server certificatechanges; you can enable the automatic update of the trustpool bundle at periodic intervals.
We introduced the following command: auto-import
We modified the following screen: Configuration > Remote Access VPN > CertificateManagement > Trusted Certificate Pool > Edit Policy
Validation of the Smart CallHome/Smart Licensing certificate ifthe issuing hierarchy of the servercertificate changes
The new Carrier license replaces the existing GTP/GPRS license, and also includes supportfor SCTP and Diameter inspection. For the ASA on the Firepower 9300, the featuremobile-spcommand will automatically migrate to the feature carrier command.
We introduced or modified the following commands: feature carrier, show activation-key,show license, show tech-support, show version
We modified the following screen: Configuration > Device Management > Licensing >Smart License
New Carrier license
Monitoring Features
In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three setsof engineIDs are maintained per ASA—synced engineID, native engineID and remoteengineID.
An SNMPv3 user can also specify the engineID of the ASAwhen creating a profile to preservelocalized snmp-server user authentication and privacy options. If a user does not specify thenative engineID, the show running config output will show two engineIDs per user.
We modified the following commands: snmp-server user, no snmp-server user
We did not add or modify any screens.
Also available in 9.4(3).
SNMP engineID sync
Release Notes for the Cisco ASA Series, 9.5(x) 9
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2)/ASDM 7.5(2)
DescriptionFeature
The show tech support command now:
• Includes dir all-filesystems output—This output can be helpful in the following cases:
◦SSL VPN configuration: check if the required resources are on the ASA
◦Crash: check for the date timestamp and presence of a crash file
• Removes the show kernel cgroup-controller detail output—This command outputwill remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
show tech support enhancements
Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if theSSH connection were disconnected (due to network connectivity or timeout), then the debugswere removed. Now, debugs persist for as long as the logging command is in effect.
We modified the following command: logging debug-trace
We did not modify any screens.
logging debug-trace persistence
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
DescriptionFeature
Platform Features
The 6.0 software version for the ASA FirePOWER module is supported on all previouslysupported device models.
Support for ASA FirePOWER 6.0
You can manage the ASA FirePOWER module using ASDM instead of using FirepowerManagement Center (formerly FireSIGHT Management Center) when running version 6.0on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X,5506W-X, 5508-X, and 5516-X when running 6.0.
No new screens or commands were added.
Support for managing the ASAFirePOWERmodule throughASDMfor the 5512-X through 5585-X.
Release Notes for the Cisco ASA Series, 9.5(x)10
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
DescriptionFeature
Remote Access Features
ASDM supports AnyConnect 4.2 and the Network VisibilityModule (NVM). NVM enhancesthe enterprise administrator’s ability to do capacity and service planning, auditing, compliance,and security analytics. The NVM collects the endpoint telemetry and logs both the flow dataand the file reputation in the syslog and also exports the flow records to a collector (a third-partyvendor), which performs the file analysis and provides a UI interface.
Wemodified the following screen:Configuration >Remote Access VPN>Network (Client)Access > AnyConnect Client Profile (a new profile called Network Visibility ServiceProfile)
AnyConnect Version 4.2 support
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
This release supports only the ASAv.Note
DescriptionFeature
Platform Features
Extends the hypervisor portfolio for the ASAv.Microsoft Hyper-V supervisorsupport
The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. Foralready-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will seean error that you are using more memory than is licensed.
ASAv5 low memory support
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
This version does not support the Firepower 9300 ASA security module or the ISA 3000.Note
Release Notes for the Cisco ASA Series, 9.5(x) 11
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASDM 7.5(1.90)
DescriptionFeature
Firewall Features
GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions nowsupports IPv6 addresses.
We modified the following commands: clear service-policy inspect gtp statistics, clearservice-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, matchmessageid, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request,show service-policy inspect gtp statistics, timeout endpoint
We deprecated the following command: timeout gsn
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >GTP
GTPv2 inspection and improvementsto GTPv0/1 inspection
IP Options inspection now supports all possible IP options. You can tune the inspection toallow, clear, or drop any standard or experimental options, including those not yet defined.You can also set a default behavior for options not explicitly defined in an IP options inspectionmap.
We introduced the following commands: basic-security, commercial-security, default,exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start,record-route, timestamp
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >IP Options
IP Options inspection improvements
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, ratherthan have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following commands: xlate block-allocation size, xlate block-allocationmaximum-per-host. We added the block-allocation keyword to the nat command.
We introduced the following screen: Configuration > Firewall > Advanced > PAT PortBlock Allocation. We addedEnable Block Allocation the object NAT and twice NAT dialogboxes.
Carrier Grade NAT enhancements
High Availability Features
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoidMAC address flapping, configure a site ID for each cluster member so that a site-specificMAC address for each interface can be shared among a site’s units.We introduced or modified the following commands: site-id, mac-address site-id, showcluster info, show interface
Wemodified the following screen:Configuration >DeviceManagement >HighAvailabilityand Scalability > ASA Cluster > Cluster Configuration
Inter-site clustering support forSpanned EtherChannel in Routedfirewall mode
Release Notes for the Cisco ASA Series, 9.5(x)12
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(1)/ASDM 7.5(1)
DescriptionFeature
You can now customize the auto-rejoin behavior when an interface or the cluster control linkfails.
We introduced the following command: health-check auto-rejoin
We introduced the following screen: Configuration > Device Management > HighAvailability and Scalability > ASA Cluster > Auto Rejoin
ASA cluster customization of theauto-rejoin behavior when aninterface or the cluster control linkfails
The ASA cluster now supports GTPv1 and GTPv2 inspection.
We did not modify any commands.
We did not modify any screens.
The ASA cluster supports GTPv1and GTPv2
This feature helps eliminate the “unnecessary work” related to short-lived flows by delayingthe director/backup flow creation.
We introduced the following command: cluster replication delay
We introduced the following screen: Configuration > Device Management > HighAvailability and Scalability > ASA Cluster Replication
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Cluster replication delay for TCPconnections
By default when using clustering, the ASAmonitors the health of an installed hardwaremodulesuch as the ASA FirePOWERmodule. If you do not want a hardware module failure to triggerfailover, you can disable module monitoring.
We modified the following command: health-check monitor-interface service-module
Wemodified the following screen:Configuration >DeviceManagement >HighAvailabilityand Scalability > ASA Cluster > Cluster Interface Health Monitoring
Disable health monitoring of ahardware module in ASA clustering
On the ASA 5506H only, you can now configure theManagement 1/1 interface as the failoverlink. This feature lets you use all other interfaces on the device as data interfaces. Note thatif you use this feature, you cannot use the ASA Firepower module, which requires theManagement 1/1 interface to remain as a regular management interface.
We modified the following commands: failover lan interface, failover link
Wemodified the following screen:Configuration >DeviceManagement >HighAvailabilityand Scalability > Failover > Setup
Enable use of the Management 1/1interface as the failover link on theASA 5506H
Routing Features
IPv6 addresses are now supported for Policy Based Routing.
We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, setipv6 dscp
We modified the following screens:
Configuration >Device Setup >Routing >RouteMaps >AddRouteMap > Policy BasedRouting Configuration > Device Setup > Routing > Route Maps > Add Route Maps >Match Clause
Support for IPv6 in Policy BasedRouting
Release Notes for the Cisco ASA Series, 9.5(x) 13
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(1)/ASDM 7.5(1)
DescriptionFeature
You can now enable Policy Based Routing on a VNI interface.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Interface Settings >Interfaces > Add/Edit Interface > General
VXLAN support for Policy BasedRouting
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall andCisco TrustSec ACLs in Policy Based Routing route maps.
We did not modify any commands.
Wemodified the following screen:Configuration > Device Setup > Routing > RouteMaps> Add Route Maps > Match Clause
Policy Based Routing support forIdentity Firewall and Cisco Trustsec
To segregate and isolate management traffic from data traffic, the ASA now supports a separaterouting table for management-only interfaces.
We introduced or modified the following commands: backup, clear ipv6 routemanagement-only, clear route management-only, configure http, configure net, copy,enrollment source, name-server, restore, show asp table route-management-only, showipv6 route management-only show route management-only
We did not modify any screens.
Separate routing table formanagement-only interfaces
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing,unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing amulticast group while also protecting against different attacks; hosts only receive traffic fromexplicitly-requested sources.
We did not modify any commands.
We did not modify any screens.
Protocol Independent MulticastSource-Specific Multicast(PIM-SSM) pass-through support
Remote Access Features
ASAVPN code has been enhanced to support full IPv6 capabilities. No configuration changeis necessary for the administrator.
IPv6 VLAN Mapping
Added support and a predefined application template for this new SharePoint version.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSLVPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type >Predefined application templates
Clientless SSL VPN SharePoint2013 Support
Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to thelist of macros when using bookmarks. These macros allow the administrator to configure asingle bookmark that can generate multiple bookmark links on the clientless user’s portal andto statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAPattribute maps.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSLVPN Access > Portal > Bookmarks
Dynamic Bookmarks for ClientlessVPN
Release Notes for the Cisco ASA Series, 9.5(x)14
Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(1)/ASDM 7.5(1)
DescriptionFeature
The overall banner length, which is displayed during post-login on the VPN remote clientportal, has increased from 500 to 4000.
We modified the following command: banner (group-policy).
We modified the following screen: Configuration > Remote Access VPN > .... Add/EditInternal Group Policy > General Parameters > Banner
VPN Banner Length Increase
This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X.The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices(computers, printers, and so on) behind the ASA on the Easy VPN port can communicateover the VPN; they do not have to run VPN clients individually. Note that only one ASAinterface can act as the Easy VPN port; to connect multiple devices to that port, you need toplace a Layer 2 switch on the port, and then connect your devices to the switch.
We introduced the following commands: vpnclient enable, vpnclient server, vpnclientmode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclientvpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Cisco Easy VPN client on the ASA5506-X, 5506W-X, 5506H-X, and5508-X
Monitoring Features
You can now show invalid usernames in syslog messages for unsuccessful login attempts.The default setting is to hide usernames when the username is invalid or if the validity isunknown. If a user accidentally types a password instead of a username, for example, then itis more secure to hide the “username” in the resultant syslog message. You might want toshow invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging >Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
Show invalid usernames in syslogmessages
REST API Features
We added support for the REST API Version 1.2.1.REST API Version 1.2.1
Upgrade the SoftwareThis section provides the upgrade path information and a link to complete your upgrade.
Upgrade PathSee the following table for the upgrade path for your version. Some versions require an interim upgrade beforeyou can upgrade to the latest version.
Release Notes for the Cisco ASA Series, 9.5(x) 15
Release Notes for the Cisco ASA Series, 9.5(x)Upgrade the Software
Then Upgrade to:First Upgrade to:Current ASA Version
9.1(3) and later8.4(6)8.2(x) and earlier
9.1(3) and later8.4(6)8.3(x)
9.1(3) and later8.4(6) or 9.0(2+)8.4(1) through 8.4(4)
9.1(3) and later—8.4(5+)
9.1(3) and later9.0(2+)8.5(1)
9.1(3) and later9.0(2+)8.6(1)
9.1(3) and later9.0(2+)9.0(1)
9.1(3) and later—9.0(2+)
9.1(3) and later9.1(2)9.1(1)
9.1(3) and later—9.1(2+)
9.2(2) and later—9.2(x)
9.3(2) and later—9.3(x)
9.4(2) and later—9.4(x)
9.5(2) and later—9.5(x)
9.6(2) and later—9.6(x)
9.8(1) and later—9.7(x)
Upgrade LinkTo complete your upgrade, see Upgrade to ASA 9.4 and ASDM 7.4.
Open and Resolved BugsThe open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-basedtool provides you with access to the Cisco bug tracking system, which maintains information about bugs andvulnerabilities in this product and other Cisco hardware and software products.
Release Notes for the Cisco ASA Series, 9.5(x)16
Release Notes for the Cisco ASA Series, 9.5(x)Upgrade Link
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not haveone, you can register for an account. If you do not have a Cisco support contract, you can only look upbugs by ID; you cannot run searches.
Note
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.5(x)If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higherfor Version 9.5(x):
• 9.5 open bug search.
The following table lists open bugs at the time of this Release Note publication.
DescriptionCaveat ID Number
OpenLDAP needs to be upgraded or patchedCSCto19832
Traceback: ASA crash in thread name fover_health_monitoring_threadCSCuv86562
ASA5508X SSD LED always green even when SSD is removedCSCuw83618
Free memory drops to 0 after clientless VPN TestCSCux20294
ASA/DOC: Spaces can be used in LDAP DNCSCux75565
XMLSoft libxml2 Encoding Conversion Denial of Service VulnerabilityCSCux85525
XMLSoft libxml2 xmlParserInputGrow Function Denial of Service VulnerabCSCux85527
XMLSoft libxml2 XML Entity Processing Denial of Service VulnerabilityCSCux85528
XMLSoft libxml2 xmlNextChar Function Memory Corruption VulnerabilityCSCux85532
XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service VulnerabiliCSCux85533
DOC: ASA IPV6 LAN-to-LAN VPNs is compatible with non-ASA peersCSCuy28172
5508 and 5516 Devices may not boot 9.5.1 or later imagesCSCuy47780
libxml2 htmlParseNameComplex() Function Denial of Service VulnerabilitCSCuy85511
XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion DenialCSCuz05856
Configuration retrieval from external server fails in multicontext modeCSCuz67536
ASA 5506 interface Counters & OIDs showing incorrect value for traffic!CSCuz81201
Release Notes for the Cisco ASA Series, 9.5(x) 17
Release Notes for the Cisco ASA Series, 9.5(x)Open Bugs in Version 9.5(x)
DescriptionCaveat ID Number
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500CSCva32092
ASA traceback in CLI thread while making MPF changesCSCva39094
ASAv Azure: ASAv not responding or passing trafficCSCva46651
ASAv-Azure: waagent may reload when asav deployed with load balancerCSCva52514
Shut down interfaces shows up in ASP routing tableCSCva62667
Unable to relay DHCP discover packet from ASA when NAT is matchedCSCva69346
SIP packets mangled when using TLS1.2 and ASA is serverCSCva70079
Linux Kernel NULL Pointer Dereference Denial of Service VulnerabilityCSCva72317
XMLSoft libxml2 XML Content Processing External Entity Expansion VulneCSCva72318
XMLSoft libxml2 Format String VulnerabilityCSCva72319
ASAv: TCP state bypass not matching the traffic requiredCSCva79278
ASA Crash Checkheap Free Buffer CorruptedCSCva84089
Interfaces get deleted on SFR during Multi-context HA configuration syncCSCva89342
ASAv Azure: ASAv30 Anyconnect peer support.CSCvb11599
ASA : Botnet update fails with a lot of ErrorsCSCvb13690
Resolved BugsThis section lists resolved bugs per release.
Resolved Bugs in Version 9.5(3.9)
The following table lists select resolved bugs at the time of this Release Note publication.
DescriptionCaveat ID Number
Packet captures cause CPU spike on Multi-Core platforms due to spin_lockCSCtw90511
ARP: Proxy IP traffic is hijacked.CSCuc11186
FIPS self test power on fails - fipsPostDrbgKatCSCum70304
ASA traceback on standby when SNMP pollingCSCum74032
Release Notes for the Cisco ASA Series, 9.5(x)18
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
ASA traceback when retrieving idfw topn user from slaveCSCun21186
Stale VPN Context entries cause ASA to stop encrypting trafficCSCup37416
"show resource usage detail counter all 1" causes cpu hogCSCup96099
ASA classifies TCP packets as PAWS failure incorrectlyCSCuq80704
ASA low DMA memory on low end ASA-X -5512/5515 devicesCSCur87011
Transactional ACL commit will bypass security policy during compilationCSCus10787
Share licenses are not activated on failover pair after power cycleCSCus16416
ASA traceback in Thread name DATAPATH when handling multicast packetCSCus37458
ASA traffic not sent properly using 'traffic-forward sfr monitor-only'CSCus53126
ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSLCSCut10103
Cisco ASA XML Denial of Service VulnerabilityCSCut14209
ASA: Stuck uauth entry rejects AnyConnect user connectionsCSCuu48197
ASA Traceback on 9.1.5.19CSCuu50708
Traceback in Thread Name: ssh when using capture or continuous pingCSCuv20449
9.5.1 - Crash in bcm_esw_init threadCSCuv47191
ASA traceback on Standby device during config sync in thread DATAPATHCSCuv49446
Traceback: ASA crash in thread name fover_health_monitoring_threadCSCuv86562
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RSTCSCuw02009
ASA traceback while restoring backup configuration from ASDMCSCuw19671
Cisco ASA Software Version Information Disclosure VulnerabilityCSCuw28735
ASA - Filtering HTTP via Websense or SFR may cause memory corruptionCSCuw39685
Watchdog traceback in ldap_client_thread with large number of ldap grpsCSCuw44038
QEMU coredump: qemu_thread_create: Resource temporarily unavailableCSCuw48499
SSH connections are not timed out on ASA (stuck in rtcli)CSCuw51576
Release Notes for the Cisco ASA Series, 9.5(x) 19
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
Standby ASA traceback in Thread Name: EIGRP-IPv4CSCuw55813
Traceback in Unicorn Proxy Thread, in http_header_by_nameCSCuw71147
ASA: Traceback in Thread name DATAPATH-7-1918CSCuw87331
ASA 9.4.1 traceback upon clearing and reconfiguring ACLCSCuw90116
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads UnexpectedlyCSCuw92005
After some time flash operations fail and configuration can not be savedCSCuw95262
Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS)CSCux00686
Traceback in thread name: Unicorn Proxy ThreadCSCux03626
RSA 4096 key generation causes failoverCSCux05081
ASA: assertion "pp->pd == pd" failed: file "main.c", line 192CSCux07002
CWS: ASA does not append XSS headersCSCux08783
ASA: Traceback in CheckheapsCSCux08838
http-form authentication fails after 9.3.2CSCux09181
ASA traceback when using an ECDSA certificateCSCux09310
Smart Tunnel starts and Java closes without any messageCSCux10499
ASA traceback in Unicorn Proxy ThreadCSCux11440
show memory indicates inaccurate free memory availableCSCux15273
PBR incorrect route selection for deny clauseCSCux16427
ASA memory leak related to BotnetCSCux17527
SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIBCSCux18455
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and laterCSCux20178
ASA: FAILOVER not working with password encryption.CSCux21955
ASA 9.1.6.10 traceback after remove compact flash and execute dir cmdCSCux23659
Primary and Secondary ASA in HA is traceback in Thread Name:DataPathCSCux29842
Release Notes for the Cisco ASA Series, 9.5(x)20
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
ASA 9.4.2 traceback in DATAPATHCSCux29929
GTPv1 traceback in gtpv1_process_msgCSCux30780
ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]CSCux33808
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled testCSCux35538
PBR: Mem leak in cluster mode due to policy based routeCSCux36112
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS relatedCSCux37303
Cisco signed certificate expired for WebVpn Port Forward Binary on ASACSCux37442
Evaluation of pix-asa for OpenSSL December 2015 VulnerabilitiesCSCux41145
ASA 9.5.1 traceback in Threadname Datapath due to SIP InspectionCSCux42936
DHCP Relay fails for cluster ASAs with long interface namesCSCux43978
SSL sessions stop processing -"Unable to create session directory" errorCSCux45179
ASA(9.5.2) changing the ACK number sent to client with SFR redirectionCSCux47195
"no ipv6-vpn-addr-assign" CLI not workingCSCux56111
ASA L7 policy-map comes into affect only if the inspection is re-appliedCSCux59122
ASA: Traceback in Thread IP Address AssignCSCux61257
Traffic drop due to constant amount of arp on ASASMCSCux66866
ASA: Traceback on ASA device after adding FQDN objects in NAT ruleCSCux69987
ASA traceback while viewing large ACLCSCux70784
Reload in Thread Name: IKE DaemonCSCux70998
"show resource usage" gives wrong number of routes after shut/no shCSCux71197
ASA TACACS+: process tacplus_snd uses large percentage of CPUCSCux72610
ASA 9.5 - OCSP check using global routing table instead of managementCSCux72835
ASA Traceback on Thread Name: Unicorn Admin HandlerCSCux81683
Nat pool exhausted observed when enabling asp transactional-commit natCSCux82835
Release Notes for the Cisco ASA Series, 9.5(x) 21
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
VLAN mapping doesn't work when connection falls back to TLSCSCux86769
ASA traceback in Thread Name: https_proxyCSCux87457
ASA traceback in DATAPATH threadCSCux88237
ASA Traceback Assert in Thread Name: ssh_init with component sshCSCux92157
Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728CSCux93751
ASA using a huge dynamic ACL may cause Anyconnect connectivity failuresCSCux94598
ASA tracebacks when replicating Xlate to the standby/slaveCSCux96716
ASA reloads with traceback in thread name DATAPATH or CP ProcessingCSCux98029
Traceback in Thread: IPsec message handlerCSCuy00296
ASA traceback in Thread Name: Unicorn Proxy Thread.CSCuy01420
ASA traceback with SIP inspection and SFR enabled in 9.5.2CSCuy01438
ASA traceback and reload citing Thread Name: idfw_procCSCuy03024
ASA: MAC address changes on active context when WRITE STANDBY is issuedCSCuy05949
Re-adding context creates context without configs on some slavesCSCuy06125
Smart tunnel does not work since Firefox 32bit version 43CSCuy07753
ASA: Assert traceback in version 9.4.2CSCuy11281
ASA 5585 traceback when the User name is mentioned in the Access listCSCuy11905
ASA Watchdog traceback in CP Processing thread during TLS processingCSCuy13937
ASA may traceback with:DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685
CSCuy15636
Traceback when drop is enabled with diameter inspection and tls-proxyCSCuy21206
STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reloadCSCuy21287
VPN Load-Balancing does not send load-balancing cert for IPv6 AddressCSCuy22561
Cisco ASA ACL ICMP Echo Request Code Filtering VulnerabilityCSCuy25163
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmtCSCuy32321
Release Notes for the Cisco ASA Series, 9.5(x)22
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
VPN LB stops working when cluster encryption is configuredCSCuy32728
ASA Crash on cluster member or on standby member of failover pair after replicationof conns
CSCuy32964
ASA Access-list missing and losing elements after configuration changeCSCuy34265
Can't navigate to OWA 2013 due to ssl errorsCSCuy36897
Traceback: assertion "0" failed: file "ctm_daemon.c"CSCuy40207
OCSP validation fails when multiple certs in chain are verifiedCSCuy41986
BGP:Deployment failed with reason supported on management-only interfaceCSCuy42223
ASA reloads in thread name: DATAPATH while encrypting L2L packetCSCuy43839
BVI : Interface IPv6 address deleted from standby context on HA - A/ACSCuy44472
ASA : Configuration not replicated on mate if standby IP is missingCSCuy45475
Traceback at gtpv1_process_pdp_create_reqCSCuy47706
Crash in proxyi_rx_q_timeout_timerCSCuy50406
Buffer overflow in RAMFS dirent structure causing tracebackCSCuy51918
Evaluation of pix-asa for OpenSSL March 2016CSCuy54567
Unicorn Proxy Thread causing CP contentionCSCuy55468
ASAv sub-interface failing to send traffic with customised mac-addressCSCuy57644
ASA 9.1(6) traceback processing outbound DTLS PacketCSCuy63642
Cisco ASA Software DHCP Relay Denial of Service vulnerabilityCSCuy66942
Traceback in thread name idfw when modifying object-group having FQDNCSCuy73652
Assert Traceback in Thread Name: DATAPATH on clustered packet reassemblyCSCuy74218
orignial master not defending all GARP packets after cluster split brainCSCuy78802
OSPF routes not populating over L2L tunnelCSCuy80070
ASA crashes when global access-list config is clearedCSCuy82905
ASA traceback when receive Radius attribute with improper variable typeCSCuy85243
Release Notes for the Cisco ASA Series, 9.5(x) 23
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
ASA - Traceback in CP Processing Thread During Private Key DecryptionCSCuy87597
ASA may stop responding to OSPF Hello packetsCSCuy90936
Improve efficiency of malloc_avail_freemem()CSCuy95543
ASA clientless rewriter failure at 'CSCOPut_hash' functionCSCuy96391
ASA 9.1.6.4 traceback with Thread Name: telnet/ciCSCuz00077
Memory leak in 112 byte bin when packet hits PBR and WCCP rulesCSCuz04534
ASA traceback in SSH threadCSCuz08625
ASA does not respond to NS in Active/Active HACSCuz09255
infinite loop in JS rewriter state machine when return followed by varCSCuz09394
ASA Traceback and reload by strncpy_sx.cCSCuz10371
Kenton 9.5.1'boot system/boot config' commands not retained after reloadCSCuz14600
5585-10 traceback in Thread Name: idfw_procCSCuz14808
Incorrect modification of NAT divert table.CSCuz16398
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c"CSCuz16565
CSCOPut_hash can initiate unexepected requestsCSCuz21068
ASA traceback in threadname sshCSCuz21178
CPU usage is high after timer dequeue failed in GTPCSCuz23354
Context config may get rejected if all the units in Cluster reloadedCSCuz28000
Network command disappears from BGP after reload with nameCSCuz30425
Traceback in IKEv2 Daemon with 20+ second CPU hog.CSCuz33255
Traceback on editing a network object on exceeding the max snmp hostsCSCuz36938
ASA Tback when large ACL applied to interface with object-group-searchCSCuz38115
ASA: Page Fault traceback in DATAPATH on standby ASA after booting upCSCuz38180
WebVPN rewrite fails for MSCA Cert enrollment page / VBScriptCSCuz38888
Release Notes for the Cisco ASA Series, 9.5(x)24
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
ASA memory leak due to vpnfoCSCuz40081
Interfaces get deleted on SFR during HA configuration syncCSCuz40793
ASA Stateful failover for DRP works intermittentlyCSCuz42390
Traceback data path self deadlock panic while attempt to get spin lockCSCuz44687
Commands not installed on Standby due to parser switchCSCuz44968
Cisco ASA Software Local Certificate Authority Denial of Service VulnerabilityCSCuz47295
Evaluation of pix-asa for OpenSSL May 2016CSCuz52474
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirectionCSCuz54193
ASA Address not mapped traceback - configuring snmp-server hostCSCuz54545
Interface health-check failover causes OSPF not to advertise ASA as ABRCSCuz61092
Observing Memory corruption, assert for debug ospfCSCuz63531
GTP traceback at gtp_update_sig_conn_timestamp while processing dataCSCuz64603
ASA Cut-through Proxy inactivity timeout not workingCSCuz66661
ASA Cluster fragments reassembled before transmission with no inspectionCSCuz67349
ASA may Traceback with Thread Name: cluster rx threadCSCuz67590
ASA may Traceback with Thread Name: Unicorn Admin HandlerCSCuz67596
ASA crashed due to Election severe problem no master is promotedCSCuz67690
ASA: SSH being denied on the ASA device as the maximum limit is reachedCSCuz70330
traceback during tls-proxy handshakeCSCuz72352
IPv6 neighbor discovery packet processing behaviorCSCuz80281
2048/1550/9344 Byte block leak cause traffic disruption & module failureCSCuz90648
ASA with PAT fails to untranslate SIP Via field that doesnt contain portCSCuz92074
ASA crashes while clearing global access-listCSCuz92921
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuckCSCuz94862
Release Notes for the Cisco ASA Series, 9.5(x) 25
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
DNS Doctoring DNS64 is not workingCSCuz95806
ASA traceback with Thread Name: Dispatch UnitCSCuz98220
Traceback in CP Processing thread after upgradeCSCuz98704
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resetsCSCva00190
Remove ACL warning messages in show access-list when FQDN is resolvedCSCva00939
Unexpected end of file logon.html in WebVPNCSCva01570
ASA not rate limiting with DSCP bit set from the ServerCSCva02817
show service-policy output reporting incorrect valuesCSCva03607
ASA : Mem leak in cluster mode due to PBR lookupCSCva03982
ASA ASSERT traceback in DATAPATH due to sctp inspectionCSCva10054
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash.CSCva15911
IPv6 OSPF routes do not update when a lower metric route is advertisedCSCva16471
ASA SM on 9300 reloads multi-context over SSH when config-url is enteredCSCva24924
ASA : PBR Mem leak as packet droppedCSCva26771
ASA treaceback at Thread Name: rtcli async executor processCSCva31378
ASA DATAPATH traceback (Cluster)CSCva35439
BGP Socket not open in ASA after reloadCSCva36202
Cisco ASA Input Validation File Injection VulnerabilityCSCva38556
ASA traceback in CLI thread while making MPF changesCSCva39094
Interfaces get deleted on SFR during cluster rejoiningCSCva39804
Crypto accelerator ring timeout causes packet dropsCSCva40844
Traceback in Thread Name: ssh when issuing show tls-proxy session detailCSCva46920
memory leak in sshCSCva49256
uauth is failed after failoverCSCva62861
Release Notes for the Cisco ASA Series, 9.5(x)26
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
ASA drops ICMP request packets when ICMP inspection is disabledCSCva68987
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDBCSCva69584
ASA stuck in boot loop due to FIPS Self-Test failureCSCva69799
ASA negotiates TLS1.2 when server in tls-proxyCSCva70095
ASA : Enabling IKEv1/IKEv2 opens RADIUS portsCSCva76568
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 DaemonCSCva77852
IPV6 address not assigned when connecting via IPSEC protocolCSCva81749
ASA: CHILD_SA collision brings down IKEv2 SACSCva84635
ASA memory leak for CTS SGT mappingsCSCva85382
GTP traceback at gtpv1_process_msg for echo responseCSCva87077
OTP authentication is not working for clientless ssl vpnCSCva87160
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth SessionsCSCva88796
ASA Traceback when issue 'show asp table classify domain permit'CSCva90806
ASA Traceback in CTM Message HandlerCSCva91420
Cisco ASA SNMP Remote Code Execution VulnerabilityCSCva92151
ASA Cluster DHCP Relay doesn't forward the server replies to the clientCSCva92813
Enqueue failures on DP-CP queue may stall inspected TCP connectionCSCva94702
Traceback in IKE_DBGCSCvb03994
H.323 inspection causes Traceback in Thread Name: CP ProcessingCSCvb05667
traceback in network udpmod_get after anyconnect test load applicationCSCvb05787
ASA : Botnet update fails with a lot of ErrorsCSCvb13690
wr mem/ wr standby is not syncing configs on standbyCSCvb13737
ASA DHCP Relay rewrites netmask and gw received as part of DHCP OfferCSCvb14997
ASA as DHCP relay drops DHCP 150 Inform messageCSCvb19251
Release Notes for the Cisco ASA Series, 9.5(x) 27
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionCaveat ID Number
Buffer Overflow in ASA Leads to Remote Code ExecutionCSCvb19843
ASA Traceback in thread name CP Processing due to DCERPC inspectionCSCvb22435
ASA 9.1.7-9 crash in Thread Name: NIC status pollCSCvb22848
ASA 1550 block depletion with multi-context transparent firewallCSCvb27868
AAA authentication/authorization fails if only accessible via mgmt vrfCSCvb29411
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix forCSCup37416
CSCvb29688
ASA may generate DATAPATH Traceback with policy-based routing enabledCSCvb30445
Traceback : ASA with Threadname: DATAPATH-0-1790CSCvb31833
WebVPN:VNC plugin:Java:Connection reset by peer: socket write errorCSCvb32297
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 tracebackCSCvb36199
Lower NFS throughput rate on Cisco ASA platformCSCvb39147
ASA traceback with Thread Name aaa_shim_threadCSCvb45039
Evaluation of pix-asa for Openssl September 2016CSCvb48640
Traceback triggered by CoA on ASA when sending/receiving to/from ISECSCvb49273
ASA Traceback Thread Name: emweb/httpsCSCvb52988
AAA session handle leak with IKEv2 when denied due to time rangeCSCvb63503
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3CSCvb63819
ASA fairly infrequently rewrites the dest MAC address of multicast packet for clientCSCvb64161
ASA traceback at Thread Name: IKE Daemon.CSCvb68766
ASA dropping traffic with TCP syslog configured in multicontext modeCSCvb74249
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'CSCvd78303
Resolved Bugs in Version 9.5(2.200)
There were no bugs fixed in 9.5(2.200).
Release Notes for the Cisco ASA Series, 9.5(x)28
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
Resolved Bugs in Version 9.5(2.1)
There were no bugs fixed in 9.5(2.1).
Resolved Bugs in Version 9.5(2)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher forVersion 9.5(2):
• 9.5(2) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
DescriptionIdentifier
ASA traceback in Thread Name: CP Crypto Result Processing.CSCuv94338
ASA: Traceback with Thread Name - AAACSCuu27334
Auth-prompt configured in one context appears in another contextCSCuu73395
ASA: LDAP over SSL Authentication failureCSCuv32615
Unable to authenticate with remove aaa-server from different contextCSCuv12884
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)CSCuw00971
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issueCSCut28210
Cisco ASA XAUTH Bypass VulnerabilityCSCus47259
ASA traceback in aaa_shim_thread / command author done for dACL installCSCut27332
ASA - access list address argument changed from host 0.0.0.0 to host ::CSCuu48626
ASA traceback: SSH Thread: many users logged in and dACLs being modifiedCSCuv92371
Memory leak @regcomp_unicorn with APCF configuredCSCuv12564
ASA - Traceback in Thread Name: fover_parseCSCus56590
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress testCSCuw09578
ASA traceback in Thread Name: fover_parse (ak47/ramfs)CSCuv87150
ASA Traceback in vpnfol_thread_msgCSCut88287
Unicorn proxy thread traceback with RAMFS processingCSCuv87760
ASA - Traceback in thread name SSH while applying BGP show commandsCSCus32005
Release Notes for the Cisco ASA Series, 9.5(x) 29
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA Dataplane captures dont capture packets when using match/access-listCSCuu10284
9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chainCSCuu61573
ASA 9.2.1 - DATAPATH Traceback in L2 cluster environmentCSCur20322
ASA Cluster member traceback in DATAPATHCSCus97061
ASA cluster-Incorrect "current conns" counter in service-policyCSCuv39775
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnelCSCuu28909
ASA: ICMP error loop on cluster CCL with Interface PATCSCuw36853
Clustering: Traceback in DATAPATH with transparent FWCSCut56198
ASA is not correctly handling errors on AES-GCM ICVCSCuu66218
ASA %ASA-3-201011: Connection limit exceeded when not hitting max limitCSCuu18989
ASA failover due to issue show local-host command make CPU-hogCSCuu75901
ASA traceback in DATAPATH Thread due to Double Block FreeCSCus92856
Interface TLV to SFR is corrupt when frame is longer than 2048 bytesCSCut40770
Request allow packets to pass when snort is down for ASA configurationsCSCuv91730
Traceback in Thread Name: DATAPATH on modifying "set connection" in MPFCSCuv58559
DHCP Server Process stuck if dhcpd auto_config already enabled from CLICSCuw66397
DHCP-DHCP Proxy thread traceback shortly after failover and reloadCSCuu84085
EIGRP configuration not being correctly replicated between failover ASAsCSCut44082
ASA - URL filter - traceback on thread name uauth_urlb cleanCSCuu77207
ASA traceback in Thread Name: CP ProcessingCSCut92194
Traceback on standby ASA during hitless upgradeCSCur07061
ASA: traceback in IDFW AD agentCSCuv01177
Active ftp-data is blocked by Firepower on Chivas Beta on 5512CSCze96017
ASA Traceback in cp_syslogCSCuu45858
Release Notes for the Cisco ASA Series, 9.5(x)30
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA: Silently Drops packets with SFR Module installed.CSCut86523
Traceback in Thread CP ProcessingCSCuu73716
ASA change non-default port to 443 for https traffic redirected to CWSCSCuu56912
ASA redirection to Scansafe tower fails with log id "775002" in syslogCSCut30741
Immediate FIN from client after GET breaks scansafe connectionCSCuu91304
ASA/ASASM drops SIP invite packets with From field containing "" and \CSCuq99821
Traceback in thread CP ProcessingCSCut48009
2048-byte block leak if DNS server replies with "No such name"CSCut45114
ASA: Traceback while copying file using SCP on ASACSCuu94945
DNS Traceback in channel_put()CSCuw41548
Active ASA in failover setup reboots on its ownCSCut28217
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeoutCSCuu36639
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limitCSCus08239
Cisco ASA VPN Memory Block Exhaustion VulnerabilityCSCuv70576
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packetCSCuo08193
Cert Auth fails with 'max simultaneous-login restriction' errorCSCuu39636
ikev2 with DH 19 and above fails to pass traffic after phase2 rekeyCSCuu82229
ASA Traceback in PPPCSCut75983
Improper S2S IPSec Datapath Selection for Remote Overlapping NetworksCSCuw17930
Split-tunnel not working for EzVPN client on Kenton device (9.5.1)CSCuw22886
ASA: Anyconnect IPv6 Traceroute does not work as expectedCSCut95793
ASA dropping traffic with TCP syslog configured in multicontext modeCSCut01856
ASATraceback in ssh whilst adding new line to extended ACLCSCuv07106
ASA not generating PIM register packet for directly connected sourcesCSCuu63656
Release Notes for the Cisco ASA Series, 9.5(x) 31
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA traceback when removing dynamic PAT statement from clusterCSCuw22130
Observed Traceback in SNMP while querying GET BULK for 'xlate count'CSCtz98516
asa Traceback with Thread Name idfw_procCSCuu45812
eglibc 2.18 is missing upstream fix #15073CSCuu39615
OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwardsCSCuv96011
ASA may tracebeck when displaying packet capture with trace optionCSCuv45756
ASA LDAP CRL query baseObject DN string is malformedCSCuv11566
ASA picks incorrect trustpoint to verify OCSP ResponseCSCuv66333
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reachedCSCut67965
Anyconnect SSL VPN certificate authentication fails o ASACSCut15570
ASA CA certificate import fails with different types of Name ConstraintsCSCuu46569
ASA cert validation fails when suitable TP is above the resident CA certCSCus78450
ASA Name Constraints dirName improperly verifiedCSCuu45813
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)CSCuv57389
RA validation failed when CA/subCA contains name constraintsCSCuv88785
5585 interface counters show 0 for working interfaces and console errorsCSCui20213
ASA CX - Data Plane marked as DOWN untill ASA reload.CSCuu04012
ASA5505 permanent base license, temp secplus, failover, vlan count issueCSCuv10258
ASA5585 9.5(1): Support Failover Lan on Management0/0 portCSCuw29566
Kenton 5516: Interface dropping ARPs after flapping under traffic loadCSCus62863
ASA 8.4 Memory leak due to duplicate entries in ASP tableCSCuq57307
ASA: Traceback in Thread Name Checkheaps due to webvpnCSCuw06294
'redistribute' cmds under 'router eigrp' removed on deleting any contextCSCuv10938
ASA does not set forward address or p-bit in OSPF redistrubution in NSSACSCuu53928
Release Notes for the Cisco ASA Series, 9.5(x)32
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA OSPF database not reflect changesCSCuu31751
CRL download functionality seems to be broken on ASACSCuv50968
Dynamic Route Not Installed After FailoverCSCuv42413
EIGRP authentication not working with simple paswordCSCut37974
RRI static routing changes not updated in routing tableCSCur09141
Standby ASA does not apply OSPF route after config replicationCSCut10078
Standby ASA inside IP not reachable after Anyconnect disconnectCSCuv50709
Standby traceback during config replication with customization exportCSCuv79552
ASAv licesing enforcement should not be CLI parser basedCSCuu06081
Unable to load ASDM to a Context in Multiple Context ModeCSCuw59388
CPU hog due to snmp polling of ASA memory pool informationCSCtx43501
snmpwalk causes slow memory leak on ASACSCuu04160
ASA Traceback in Thread Name ssh/clientCSCuu84697
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:CSCus70693
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA SigCSCut03981
Cut Through proxy not working correctly with TLS1.2CSCus27650
SSL : Unable to Join nodes in ClusterCSCuv51649
Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSLCSCuu02848
ASAv traceback in DATAPATH when used for WebVPNCSCuu87823
ASA SSLVPN RDP Plugin session freezes under heavy load with activexCSCuv27197
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNSCSCuv92384
conn-max counter is not decreased accordinglyCSCuu86195
Per-session PAT RST sent to incorrect direction after closing sessionCSCut39985
ASA traceback because of TD tcp-intercept featureCSCut49111
Release Notes for the Cisco ASA Series, 9.5(x) 33
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA: Traceback in Thread Unicorn Admin Handler due to Threat DetectionCSCuw26991
Cluster destabilizes when contexts are removedCSCut36927
ASA: Watchdog Traceback with Thread Name:- SXP CORECSCuv43902
SXP Version Mismatch Between ASA & N7K with clusteringCSCur07369
ASAv Cannot remove/change default global_policy or inspection_defaultCSCuw86069
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portalCSCut49034
Trace back with Thread Name: IP Address AssignCSCuw14334
ASA allows citrix ICA connection without authenticationCSCut12513
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7CSCuq97035
ASA WebVPN clientless cookie authentication bypassCSCut71095
AddThis widget is not shown causing Traceback in Unicorn Proxy ThreadCSCuv30184
ASA WebVPN: Javascript fails to execute when accessing internal portalCSCuu32905
Clientless webvpn on ASA does not display asmx filesCSCuv05386
HTTP chunked data causing watchdogCSCuv69235
Need to prevent traceback in js_parser_print_restCSCuv05916
PCP 10.6 Clientless VPN Access is Denied when accessing PagesCSCuw87910
Traceback in WebVPN rewriterCSCuw44744
Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5CSCuu78835
WebVPN Rewriter: "parse" method returns curly brace instead of semicolonCSCus46895
Webvpn: JS parser may crash if the underlying connection is closedCSCuv86500
Resolved Bugs in Version 9.5(1.5)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher forVersion 9.5(1.5):
• 9.5(1.5) fixed bug search.
Release Notes for the Cisco ASA Series, 9.5(x)34
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
The following table lists resolved bugs at the time of this Release Note publication.
DescriptionIdentifier
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7CSCuq97035
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limitCSCus08239
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA SigCSCut03981
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portalCSCut49034
ASA: Anyconnect IPv6 Traceroute does not work as expectedCSCut95793
Auth-prompt configured in one context appears in another contextCSCuu73395
Traceback in Thread CP ProcessingCSCuu73716
ASA failover due to issue show local-host command make CPU-hogCSCuu75901
ASA - URL filter - traceback on thread name uauth_urlb cleanCSCuu77207
ASAv traceback in DATAPATH when used for WebVPNCSCuu87823
Clientless webvpn on ASA does not display asmx filesCSCuv05386
Need to prevent traceback in js_parser_print_restCSCuv05916
ASA: CLI commands not showing help(?) options for local authorizationCSCuv09538
ASA LDAP CRL query baseObject DN string is malformedCSCuv11566
Unable to authenticate with remove aaa-server from different contextCSCuv12884
ASA SSLVPN RDP Plugin session freezes under heavy load with activexCSCuv27197
ASA: LDAP over SSL Authentication failureCSCuv32615
ASA: Not able to remove ACE with "log default" keywordCSCuv35243
ASA cluster-Incorrect "current conns" counter in service-policyCSCuv39775
Dynamic Route Not Installed After FailoverCSCuv42413
ASA: Watchdog Traceback with Thread Name:- SXP CORECSCuv43902
ASA may tracebeck when displaying packet capture with trace optionCSCuv45756
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)CSCuv57389
HTTP chunked data causing watchdogCSCuv69235
Release Notes for the Cisco ASA Series, 9.5(x) 35
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
Cisco ASA VPN Memory Block Exhaustion VulnerabilityCSCuv70576
Standby traceback during config replication with customization exportCSCuv79552
Webvpn: JS parser may crash if the underlying connection is closedCSCuv86500
ASA traceback in Thread Name: fover_parse (ak47/ramfs)CSCuv87150
Unicorn proxy thread traceback with RAMFS processingCSCuv87760
RA validation failed when CA/subCA contains name constraintsCSCuv88785
Request allow packets to pass when snort is down for ASA configurationsCSCuv91730
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)CSCuw00971
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress testCSCuw09578
traffic-forward interface command is not working on 5585CSCuw30700
Resolved Bugs in Version 9.5(1.200)
There were no bugs fixed in 9.5(1.200).
Resolved Bugs in Version 9.5(1)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher forVersion 9.5(1):
• 9.5(1) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
DescriptionIdentifier
AAA Authorization HTTP sends username in password field of authorizationCSCuu31281
ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessionsCSCus57241
Standalone AnyConnect fails to connect due to empty DAP user messageCSCuu73087
Add cli to control masked username in syslogCSCur17006
ASA : Password creation date is decrementing by one with every rebootCSCut96928
ASA: Traceback with Thread Name - AAACSCuu27334
Release Notes for the Cisco ASA Series, 9.5(x)36
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
[ASA] CTP not working if proxyACL port_argument is gtCSCut22865
ASA tunnel-group"password-expire-in-days"not prompting a password changeCSCut54218
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issueCSCut28210
ASA traceback in aaa_shim_thread / command author done for dACL installCSCut27332
ASA - access list address argument changed from host 0.0.0.0 to host ::CSCuu48626
ASA 9.0.3 not logging permitted UDP trafficCSCut92373
ASA : ACL logging is not getting disabled with keyword "log disable"CSCus83942
[ASA] access-list ACL_name standard permit host 0.0.0.0 deletedCSCut31315
Memory leak @regcomp_unicorn with APCF configuredCSCuv12564
Codenomicon HTTP-server suite may cause crashCSCur99653
ASA - Traceback in thread name SSH while applying BGP show commandsCSCus32005
bgp ipv6 neighborship fails with ASA after hard reset on routerCSCuv25327
ASA Dataplane captures dont capture packets when using match/access-listCSCuu10284
Drop reasons missing from asp-drop captureCSCuu13345
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnelCSCuu28909
Clustering: Traceback in DATAPATH with transparent FWCSCut56198
RPC error in request config after replicated a large configurationCSCur56038
show cluster mem indicates incorrect valuesCSCut49711
Traceback in snp_cluster_get_bufferCSCut44075
ASA is not correctly handling errors on AES-GCM ICVCSCuu66218
Doubling counting flow bytes for decrypted packetsCSCuu88607
Cisco ASA DHCPv6 Relay Denial of Service VulnerabilityCSCus56252
Corrupted host name may occur with DHCPCSCut49724
DHCP-DHCP Proxy thread traceback shortly after failover and reloadCSCuu84085
Release Notes for the Cisco ASA Series, 9.5(x) 37
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
EIGRP configuration not being correctly replicated between failover ASAsCSCut44082
ASA traceback in Thread Name: CP ProcessingCSCut92194
ASA: failover logging messages appear in user contextCSCuu16983
Failover assembly remained in active-active state permanantlyCSCut11895
Traceback on standby ASA during hitless upgradeCSCur07061
ASA: XFRAME support for .JS and .JNLP URL'sCSCut06531
ASA: traceback in IDFW AD agentCSCuv01177
ASA Remote Access - Phase 1 terminated after xauthCSCuu54660
ASA SMTP inspection should not disable TLS by defaultCSCur68226
Handling esmtp default parameters for TLSCSCut05676
Active ftp-data is blocked by Firepower on Chivas Beta on 5512CSCze96017
ASA traceback: thread name "scansafe_poll"CSCuq69907
ASA/ASASM drops SIP invite packets with From field containing "" and \CSCuq99821
Traceback in thread CP ProcessingCSCut48009
USB device hot plug not supported in running ASACSCut83833
2048-byte block leak if DNS server replies with "No such name"CSCut45114
Cisco ASA DNS Denial of Service VulnerabilityCSCuu07799
DNS should perform IPv4 lookups if IPv6 address is not reachableCSCuu02761
EEM action not executed on absolute time when NTP is configuredCSCuv02304
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeoutCSCuu36639
LU allocate connection failed on the Standby ASA unitCSCur51051
Cert Auth fails with 'max simultaneous-login restriction' errorCSCuu39636
ikev2 enable added to config when zones are used despite ERROR msgCSCuv07126
Ikev2 Session with bogus assigned IP address stays on ASACSCut80316
Release Notes for the Cisco ASA Series, 9.5(x)38
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
IKEv2: IPSec SA's are created by dynamic crypto map for static peersCSCus85532
ASA Traceback in PPPCSCut75983
L2TP/IPSec Optimal MSS is not what it's supposed to beCSCut24490
L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"CSCut64327
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect.CSCut69675
Duplicate IPv6 address is configurable in 1 ASA or contextCSCus98309
IPv6 local host route fail when setting link-local/Global simultaneouslyCSCuu41142
ASA dropping traffic with TCP syslog configured in multicontext modeCSCut01856
Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confgCSCuu67411
ASA inspection-MPF ACL changes not inserted into ASP table properlyCSCuu19489
ASATraceback in ssh whilst adding new line to extended ACLCSCuv07106
ASA not generating PIM register packet for directly connected sourcesCSCuu63656
Cisco ASA PIM Multicast Registration VulnerabilityCSCus74398
ASA generate pool exhausted for sip inspect with embedded IP but no portCSCus14147
Migration of max_conn/em_limit to MPF is completely wrong in 8.3CSCti05769
Misleading error msg for pat-pool with mapped objectCSCui37201
Observed Traceback in SNMP while querying GET BULK for 'xlate count'CSCtz98516
PBA: Generate syslogs for port block allocation related failuresCSCut71347
Two Dynamic PAT with and without block-allocationCSCuu33321
eglibc 2.18 is missing upstream fix #15073CSCuu39615
ASA crashes for the OSPFv2 packets from codenomiconCSCus84220
ASA:OSPF over L2L tunnels is not working with multiple cry map entriesCSCuv01022
Cisco ASA OSPFv2 Denial of Service VulnerabilityCSCut52679
Ampersand (&) not encoded in packet tracer phase 'extra' fieldCSCuu88548
Release Notes for the Cisco ASA Series, 9.5(x) 39
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
"no nameif" is removing the policy-route configurationCSCus19673
PBR: DF & DSCP bits are not getting set without valid set next-hopCSCus86487
Policy based routing is not working with twice NATCSCus78109
ASA - Traceback in thread name: CERT APICSCus63993
Cryptomaps lose trustpoint when syncing configuration from cluster unitCSCuu74823
ASA tunnel-group-map cannot contain spacesCSCuu81932
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reachedCSCut67965
Anyconnect SSL VPN certificate authentication fails o ASACSCut15570
ASA CA certificate import fails with different types of Name ConstraintsCSCuu46569
ASA Name Constraints dirName improperly verifiedCSCuu45813
Incorrect cert chain sent to connecting IPSec clientsCSCut48571
PKI: potential pki session handle leak in IKEv2 L2L configurationsCSCut75202
5506-X: 'no buffer' interface counter reports incorrect errorsCSCus69021
Kenton 5516: Interface dropping ARPs after flapping under traffic loadCSCus62863
kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250CSCuu75675
Kernel command line is displayed while booting 9.5.1 ImageCSCuv72010
Traceback and reload triggered by failover configurationCSCuq27342
PPPoE session state timer does not initialize properlyCSCut23991
ASA 8.4 Memory leak due to duplicate entries in ASP tableCSCuq57307
ASA :Top 10 Users status is not getting enabled from ASDM.CSCut67315
ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQCSCuu08031
Secondary ASA stuck in config sync while upgrading to 8.4.xCSCut37042
Multiple problems with output of show processes memoryCSCuj68919
'redistribute' cmds under 'router eigrp' removed on deleting any contextCSCuv10938
Release Notes for the Cisco ASA Series, 9.5(x)40
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA Cluster: Default OSPF route gone on Master unitCSCus24519
ASA does not set forward address or p-bit in OSPF redistrubution in NSSACSCuu53928
ASA silently dropping OSPF LS Update messages from neighborsCSCut01395
ASA-3-317012 and "No route to host" errors even though the route existsCSCuu99349
ASA: ECMP stopped working after upgrade to 9.3.2CSCuu00733
Misleading route-map warning messageCSCus64394
RRI static routing changes not updated in routing tableCSCur09141
Standby ASA does not apply OSPF route after config replicationCSCut10078
xszASA 9.2.1 Eigrp Authentication does not work with 16 character keyCSCut26062
Remove demo and eval warning for sfr monitor-onlyCSCuu02635
ASAv cannot send SL messages after toggeling of "service call-home" cmdCSCus79307
ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbgCSCus79129
snmpwalk causes slow memory leak on ASACSCuu04160
"ssh scopy enable" deleted from configurationCSCuu07308
ASA not checking the MAC of the TLS recordsCSCuu52976
Cisco ASA Poodle TLS VariantCSCuu93339
Cut Through proxy not working correctly with TLS1.2CSCus27650
SSL connection failing to WebVPN portalCSCuu97304
SSL : Unable to Join nodes in ClusterCSCuv51649
Evaluation of OpenSSL June 2015CSCuu83280
MARCH 2015 OpenSSL VulnerabilitiesCSCut46019
ASAv traceback in DATAPATH when used for WebVPNCSCuu87823
JANUARY 2015 OpenSSL VulnerabilitiesCSCus42901
To-the-box UDP traffic not getting inspected and getting dropped on ASACSCut64846
Release Notes for the Cisco ASA Series, 9.5(x) 41
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
ASA teardown connection after receiving same direction finsCSCus11465
conn-max counter is not decreased accordinglyCSCuu86195
NFS connections not timing out after failoverCSCut04182
Per-session PAT RST sent to incorrect direction after closing sessionCSCut39985
ASA traceback because of TD tcp-intercept featureCSCut49111
Exception on asdm_handler stream line: </threat-detection>CSCus89139
ASAv requires a reboot for the license to take effect.CSCus54537
ASAv: RSA key pair needs to be automatically generated with 2048 bitsCSCuu09302
Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno)CSCuu07462
ASA Traceback in SSL library due to DMA memory exhaustionCSCus89286
ASA traceback in Thread Name: fover_parseCSCus53692
AnyConnect upgrade from AC 2.5 to AC 3.1 failsCSCus37840
Cisco ASA VPN XML Parser Denial of Service VulnerabilityCSCus95290
HTML/Java File Browser- created file or folder shows 9 months offsetCSCuc16662
ASA WebVPN clientless cookie authentication bypassCSCut71095
WebVpn: portal is not displayed after re-loginCSCuu48813
AddThis widget is not shown causing Traceback in Unicorn Proxy ThreadCSCuv30184
ASA WebVPN : jQuery based Calendar table fails to load; Empty frameCSCuu18564
ASA WebVPN: HTTP 302 Location URL rewritten incorrectlyCSCuu18527
ASA WebVPN: Javascript fails to execute when accessing internal portalCSCuu32905
Issue with downloading images from SharepointCSCut85049
rewriter returns 302 for a file downloadCSCuv38654
Src url of video track tag not mangled via webvpnCSCut35406
WebVPN: Tsweb fails to work through clientless portalCSCut58935
Release Notes for the Cisco ASA Series, 9.5(x)42
Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs
DescriptionIdentifier
WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft appCSCut39169
Mac version smart-tunnel uses SSLv3 which is a vulnerabilityCSCur42776
Windows 8 with new JRE, IE is not gaining access to smart tunnelCSCuq10239
End-User License AgreementFor information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related DocumentationFor additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Release Notes for the Cisco ASA Series, 9.5(x) 43
Release Notes for the Cisco ASA Series, 9.5(x)End-User License Agreement
Release Notes for the Cisco ASA Series, 9.5(x)44
Release Notes for the Cisco ASA Series, 9.5(x)Related Documentation
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respectiveowners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2017 Cisco Systems, Inc. All rights reserved.