Release Notes for the Cisco ASA Series, 9.14(x)
This document contains release information for Cisco ASA software Version 9.14(x).
Important Notes
ASDM signed-image support in 9.14(4.14)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)
No support in ASA 9.14(1)+ for cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs (CSCvy22526).
No support in ASA 9.13(1) and later for the ASA 5512-X, ASA 5515-X, ASA 5585-X, and the ASASM—ASA 9.12(x) is the last supported version. For the ASA 5515-X and ASA 5585-X FirePOWER module, the last supported version is 6.4.
Note: ASDM 7.13(1) and ASDM 7.14(1) also did not support these models; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.
ASAv requires 2GB memory in 9.13(1) and later—Beginning with 9.13(1), the minimum memory requirement for the ASAv is 2GB. If your current ASAv runs with less than 2GB of memory, you cannot upgrade to 9.13(1) from an earlier version. You must adjust the memory size before upgrading. See the ASAv Getting Started Guide for information about the resource allocations (vCPU and memory) supported in version 9.13(1).
Downgrade issue for the Firepower 2100 in Platform mode from 9.13/9.14 to 9.12 or earlier—For a Firepower 2100 with a fresh installation of 9.13 or 9.14 that you converted to Platform mode: If you downgrade to 9.12 or earlier, you will not be able to configure new interfaces or edit existing interfaces in FXOS (note that 9.12 and earlier only supports Platform mode). You either need to restore your version to 9.13 or later, or you need to clear your configuration using the FXOS erase configuration command. This problem does not occur if you originally upgraded to 9.13 or 9.14 from an earlier release; only fresh installations are affected, such as a new device or a re-imaged device. (CSCvr19755)
Cluster control link MTU change in 9.13(1)—Starting in 9.13(1), many cluster control packets are larger than they were in previous releases. The recommended MTU for the cluster control link has always been 1600 or greater, and this value is appropriate. However, if you set the MTU to 1600 but then failed to match the MTU on connecting switches (for example, you left the MTU as 1500 on the switch), then you will start seeing the effects of this mismatch with dropped cluster control packets. Be sure to set all devices on the cluster control link to the same MTU, specifically 1600 or higher.
Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
The tls-proxy keyword, and support for SCCP/Skinny encrypted inspection, was removed from the inspect skinny command.
Windows DNS Client Optimization Limitation—Because of a limitation in Windows 8 and above, we have observed that certain name resolutions, such as nslookup, fail for FQDNs by not matching any split-DNS domains. The workaround is to disable Windows DNS client optimization with the following changes:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Value:DisableParallelAandAAA Data: 1 Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient Value: DisableSmartNameResolution Data: 1
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
![]() Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.14(4)
Released: February 2, 2022
There are no new features in this release.
New Features in ASA 9.14(3)
Released: June 15, 2021
There are no new features in this release.
New Features in ASA 9.14(2)
Released: November 9, 2020
Feature |
Description |
SNMP Features |
SNMP polling over site-to-site VPN |
For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration. |
New Features in ASA 9.14(1.30)
Released: September 23, 2020
Feature |
Description |
Licensing Features |
ASAv100 permanent license reservation |
The ASAv100 now supports permanent license reservation using product ID L-ASAV100SR-K9=. Note: Not all accounts are approved for permanent license reservation. |
New Features in ASAv 9.14(1.6)
Released: April 30, 2020
![]() Note |
This release is only supported on the ASAv. |
Feature |
Description |
Platform Features |
ASAv100 platform |
The ASAv virtual platform has added the ASAv100, a high-end performance model that provides 20 Gbps Firewall throughput levels. The ASAv100 is a subscription-based license, available in terms of 1 year, 3 years, or 5 years. The ASAv100 is supported on VMware ESXi and KVM only. |
New Features in ASA 9.14(1)
Released: April 6, 2020
Feature |
Description |
Platform Features |
ASA for the Firepower 4112 |
We introduced the ASA for the Firepower 4112. No modified commands.
Firewall Features |
Ability to see port numbers in show access-list output. |
The show access-list command now has the numeric keyword. You can use this to view port numbers in the access control entries rather than names, for example, 80 instead of www. |
The object-group icmp-type command is deprecated. |
Although the command remains supported in this release, the object-group icmp-type command is deprecated and might be removed in a future release. Please change all ICMP-type objects to service object groups (object-group service ) and specify service icmp within the object. |
Kerberos Key Distribution Center (KDC) authentication. |
You can import a keytab file from a Kerberos Key Distribution Center (KDC), and the system can authenticate that the Kerberos server is not being spoofed before using it to authenticate users. To accomplish KDC authentication, you must set up a host/ASA_hostname service principal name (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then must upload the keytab to the ASA, and configure the Kerberos AAA server group to validate the KDC. New/Modified commands: aaa kerberos import-keytab , clear aaa kerberos keytab , show aaa kerberos keytab , validate-kdc . |
High Availability and Scalability Features |
Configuration sync to data units in parallel |
The control unit now syncs configuration changes with data units in parallel by default. Formerly, synching occurred sequentially. New/Modified commands: config-replicate-parallel |
Messages for cluster join failure or eviction added to show cluster history |
New messages were added to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster. New/Modified commands: show cluster history |
Interface Features |
Speed auto-negotation can be disabled on 1GB fiber interfaces on the Firepower 1000 and 2100 |
You can now configure a Firepower 1100 or 2100 SFP interface to disable auto-negotiation. For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you cannot disable auto-negotiation for an interface with the speed set to 10GB. New/Modified commands: speed nonegotiate |
Administrative and Troubleshooting Features |
New connection-data-rate command |
The connection-data-rate command was introduced to provide an overview on data rate of individual connections on the ASA. When this command is enabled, per-flow data rate along with the existing connection information are provided. This information helps to identify and block unwanted connections with high data rates, thereby, ensuring an optimized CPU utilization. New/Modified commands: conn data-rate ,show conn data-rate , show conn detail , clear conn data-rate |
HTTPS idle timeout setting |
You can now set the idle timeout for all HTTPS connections to the ASA, including ASDM, WebVPN, and other clients. Formerly, using the http server idle-timeout command, you could only set the ASDM idle timeout. If you set both timeouts, the new command takes precendence. New/Modified commands: http connection idle-timeout |
NTPv4 support |
The ASA now supports NTPv4. No modified commands. |
New clear logging counter command |
The show logging command provides statistics of messages logged for each logging category configured on the ASA. The clear logging counter command was introduced to clear the logged counters and statistics. New/Modified commands: clear logging counter |
Debug command changes for FXOS on the Firepower 1000 and 2100 in Appliance mode |
The debug fxos_parser command has been simplified to provide commonly-used troubleshooting messages about FXOS. Other FXOS debug commands have been moved under the debug menu fxos_parser command. New/Modified commands: debug fxos_parser , debug menu fxos_parser |
show tech-support command enhanced |
The show ssl objects and show ssl errors command was added to the output of the show tech-support command. New/Modified commands: show tech-support Also in 9.12(4). |
Monitoring Features |
Net-SNMP version 5.8 Support |
The ASA is using Net-SNMP, a suite of applications used to implement SNMP v1, SNMP v2c, and SNMP v3 using both IPv4 and IPv6. No modified commands. |
SNMP OIDs and MIBs |
The ASA enhances support for the CISCO-REMOTE-ACCESS-MONITOR-MIB to track rejected/failed authentications from RADIUS over SNMP. This feature implements three SNMP OIDs:
The ASA provides support for the Advanced Encryption Standard (AES) Cipher Algorithm. This feature implements the following SNMP OIDs:
SNMPv3 Authentication |
You can now use SHA-256 HMAC for user authentication. New/Modified commands: snmp-server user |
debug telemetry command. |
You can use the debug telemetry command, debug messages related to telemetry are displayed. The debugs help to identify the cause for errors when generating the telemetry report. New/Modified commands: debug telemetry , show debug telemetry |
VPN Features |
DHCP Relay Server Support on VTI |
You can now configure DHCP relay server to forward DHCP messages through VTI tunnel interface. New/Modified commands: dhcprelay server |
IKEv2 Support for Multiple Peer Crypto Map |
You can now configure IKEv2 with multi-peer crypto map—when a peer in a tunnel goes down, IKEv2 attempts to establish the SA with the next peer in the list. No modified commands. |
Username Options for Multiple Certificate Authentication |
In multiple certificate authentication, you can now specify from which certificate, first (machine certificate) or second (user certificate), you want the attributes to be used for aaa authentication. New/Modified commands: username-from-certificate-choice, secondary-username-from-certificate-choice |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
ASDM: Choose
. -
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
![]() Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
![]() Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
![]() Note |
ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2(x) was the final version for the ASA 5505. ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
Current Version |
Interim Upgrade Version |
Target Version |
9.13(x) |
— |
Any of the following: → 9.14(x) |
9.12(x) |
— |
Any of the following: → 9.14(x) |
9.10(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) |
9.9(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) |
9.8(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) |
9.7(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) |
9.6(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) |
9.5(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) |
9.4(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) |
9.3(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) |
9.2(x) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.6(x) → 9.1(7.4) |
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) → 9.0(4) |
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12(x) → 9.8(x) → 9.1(7.4) |
8.3(x) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.2(x) and earlier |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
![]() Note |
You must have a account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.14(x)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
ASA traceback and reload on Thread Name CP Processing |
FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries |
ICMP Echo replies can be dropped with a high load of echo requests |
PLR license reservation for ASAv5 is requesting ASAv10 |
High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby |
ASA disconnects the ssh, https session using of Active IP address and Standby MAC address after FO |
Standby's sub interface mac doesn't revert to old mac with no mac-address command |
IPv6 PMTU discovery does not work for RA VPN Cllient with tunneled route |
Some syslogs for AnyConnect SSL are generated in admin context instead of user context |
ASA/FTD traceback and reload on octnic_hm_thread thread |
ASA with SNMPv3 configuration observes unexpected reloads with snmpd cores |
FTDv Loss of network reachability across all data interfaces |
AnyConnect SSL traffic not passing due to stale SVC NP rules |
ASA/FTD Lina Traceback and reload |
ASA/FTD - Traceback in Thread Name:DATAPATH |
LINA observed traceback on thread name "snmp_client_callback_thread" |
Polling OID "" gives negative index value of the associated tunnel |
ASAv traceback when SD_WAN ACL enabled, then disabled (or vice-versa) in PBR |
Conditional flow-offload debugging produces no output |
FTD: Time gap/mismatch seen when new node joins a Cluster Control node under history |
ASA/FTD - Traceback in Thread Name:DATAPATH |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.14(4)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
MAXHOG timestamp is not shown in 'show processes cpu-hog' output |
2 CPU Cores continuously spike on firepower appliances |
Cluster: ping sourced from FTD/ASA to external IPs may if reply lands on different cluster unit |
AWS FTD: Deployment failure with ERROR: failed to set interface to promiscuous mode |
Traceback on ASA by Smart Call Home process |
ASA show processes cpu-usage output is misleading on multi-core platforms |
Data Unit traceback and reload without traffic at Thread Name :"logger" |
Node traceback and reload when trying to add into the cluster using "enable" command |
FTD/ASA creates coredump file with "!" character in filename (lina changes). |
Crypto engine errors when GRE header protocol field doesn't match protocol field in inner ip header |
Snmpwalk showing traffic counter as 0 for failover interface |
traceback: ASA reloaded snp_fdb_destroy_fh_callback+104 |
ASA traceback and reload on engineering ASA build - |
FPR1120 running ASA traceback and reload in crypto process. |
ASA/FTD Traceback and reload due to netflow refresh timer |
IKEv2 rekey - Invalid SPI for ESP packet using new SPI received right after Create_Child_SA response |
ASA traceback and reload due to strcpy_s: source string too long for dest |
Core-local block alloc failure on cores where CP is pinned leading to drops |
Cisco ASA Software and FTD Software Identity-Based Rule Bypass Vulnerability |
SSL Decrypted https flow EOF events showing 'Initiator/Responder' Packets as 0 |
ASA CP CPU wrong calculation leads to high percentage (100% CP CPU) |
SNMP bulkget not working for specific OIDs in firewall mib and device performance degradation |
Traceback and reload due to Umbrella |
ASA/FTD Traceback and reload on Thread Name: IKEv2 Daemon with VTIs configured |
Cisco ASA and FTD Software Resource Exhaustion Denial of Service Vulnerability |
Slow file transfer or file upload with SSL policy is applied with Decrypt resign action |
VPN conn fails from same user if Radius server sends a dACL and vpn-simultaneous-logins is set to 1 |
SNMP traps being sent out sourced with unexpected IP from the data interface |
ASA/FTD may traceback and reload when saving/writitng the configuration to memory |
FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover |
In some cases snmpwalk for ifXTable may not return data interfaces |
Secondary ASA could not get the startup configuration |
High CPU and massive "no buffer" drops during HA bulk sync and during normal conn sync |
Unable to configure ipv6 address/prefix to same interface and network in different context |
ASA traceback and reload when copying files with long destination filenames using cluster command |
Traceback on FPR 4115 in Thread - Lic HA Cluster |
ASA in PLR mode,"license smart reservation" is failing. |
AnyConnect certificate authentication fails if user certificate has 8192 bits key size |
ASA traceback when re-configuring access-list |
HA goes to active-active state due to cipher mismatch |
DHCP reservation fails to apply reserved address for some devices |
ASA Traceback and Reload in Thread Name: DATAPATH |
FTD/ASA: PATed traffic impacted when configured on ixgbe-vf SRIOV interfaces in HA |
ASA cluster Traceback with Thread Name: Unicorn Admin Handler even when running fix for CSCuz67596 |
Traceback: ASA on FPR 2110 traceback and reload on process Lina |
REST API Login Page Issue |
ASA Traceback and reload on the A/S failover pair at IKEv2 |
PIM Register Sent counter does not increase when encapsulated packets with register flag sent to RP |
LINA Crash from pdts_pd_segment.c:1941 on FPR1k & ISA3k |
Active tries to send CoA update to Standby in case of "No Switchover" |
FTD unnecessarily ACKing TCP flows on inline-pair deployment |
ASA/FTD SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
No space left disk space is full on /ngfw |
Ambiguous command error is shown for 'show route bgp' or 'show route isis' if DNS lookup is enabled |
UN-NAT created on FTD once a prior dynamic xlate is created |
FTD traceback and reload during anyconnect package verification |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS |
ASA/FTD sends continuous Radius Access Requests Even After Max Retry Count is Reached |
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815' |
L2L VPN session bringup fails when using NULL encryption in ipsec configuration |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS |
FTD traceback and reload on Lic TMR Thread on Multi Instance FTD |
Remote Access IKEv2 VPN session cannot be established because of stuck Uauth entry |
ASA Traceback & reload on process name lina due to memory header validation |
ASA/FTD may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
ASA/FTD may traceback and reload in Thread Name 'ssh' |
ASA traceback in IKE Daemon process and reload |
Long OCSP timeout may cause AnyConnect authentication failure |
Firepower flow-offload stops offloading all existing and new flows |
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
FTD loses OSPF network statements config for all VRF instances upon reboot |
RSA keys & Certs get removed post reload on WS-SVC-ASA-SM1-K7 with ASA code 9.12.x |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS |
ASA traceback and reload due to snmp encrypted community string when key config is present |
VTI tunnel interface stays down post reload on KP/WM platform in HA |
Block 80 and 256 exhaustion snapshots are not created |
Denial of Service vulnerability handling the config-request request |
SNMP v3 configuration lost after reboot for HA |
ASA/FTD Memory block location not updating for fragmented packets in data-path |
Time out of sync between Lina and FXOS |
ASAv adding non-identity L2 entries for own addresses on MAC table and dropping HA hellos |
Debugs for: SNMP MIB value for crasLocalAddress is not showing the IP address |
FTD HA stuck in bulk state due to stuck vpnfol_sync/Bulk-sync keytab |
WM Standby device do not send out coldstart trap after reboot. |
ASA accounting reports incorrect Acct-Session-Time |
ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections |
The standby device is sending the keep alive messages for ssl traffic after the failover |
ASAv on Azure loses connectivity to Metadata server once default outside route is used |
FTD doesn't TCP ping when VRF's are configured |
ASA/FTD traceback and reload after downgrade |
SSH session not being released |
ASA/FTD traceback and reload when negating snmp commands |
ASA Traceback and reload in Thread Name: SNMP ContextThread |
PAT pool exhaustion with stickiness traffic could lead to new connection drop. |
FTD traceback and reload related to SSL after upgrade to 7.0 |
Cisco ASA and FTD Software IKEv2 Site-to-Site VPN Denial of Service Vulnerability |
FTD/ASA: Adding new ACE entries to ACP causes removal and re-add of ACE elements in LINA |
Revert 'fix' introduced by CSCvr33428 and CSCvy39659 |
FTD traceback and reload in Process Name lina related to SNMP functions |
ASA disconnects the VTY session using of Active IP address and Standby MAC address after failed over |
FP21xx -traceback "Panic:DATAPATH-10-xxxx -remove_mem_from_head: Error - found a bad header" |
FTD lina traceback and reload in thread Name Checkheaps |
Traceback in webvpn and reload experienced periodically after ASA upgrade |
Crypto archive generated with SE ring timeout on 7.0 |
PKI "OCSP revocation check" failing due to sha256 request instead of sha1 |
FTD reload with Lina traceback during xlate replication in Cluster |
ASA55XX: Expansion module interfaces not coming up after a software upgrade |
ASA: Orphaned SSH session not allowing us to delete a policy-map from CLI |
ASP drop capture output may display incorrect drop reason |
Cluster CCL interface capture shows full packets although headers-only is configured |
ASA traceback and reload thread name: Datapath |
ASA/FTD may traceback and reload in loop processing Anyconnect profile |
FTDv - Lina Traceback and reload |
Twice nat's un-nat not happening if nat matches a pbr acl that matches a port number instead of IP |
SNMP agent restarts when show commands are issued |
device rebooted with snmpd core |
ASA: Drop reason is missing from 129 lines of asp-drop capture |
ASA: ARP entries from custom context not removed when an interface flap occurs on system context |
FTD/Lina may traceback when "show capture" command is executed |
ASA tracebacks and reload when clear configure snmp-server command is issued |
Nat hitcount not updated in FQDN_NAT |
If ASA fails to download DACL it will never stop trying |
ASDM session is not served for new user after doing multiple context switches in existing user |
FTD/ASA - Stuck in boot loop after upgrade from to 9.14.3 |
BGP packets dropped for non directly connected neighbors |
ASAv traceback in snmp_master_callback_thread and reload |
ASA/FTD Traceback and Reload during bulk VPN session connect |
ASA/AnyConnect - Stale RADIUS sessions |
ASA traffic dropped by Implicit ACL despite the fact of explicit rules present on Access-list |
Internal ldap attribute mappings fail after HA failover |
ASAv observed traceback while upgrading hostscan |
FTD may traceback and reload in Thread Name 'lina' |
Traceback and reload in Thread Name: DATAPATH-15-18621 |
FPR2100: Unable to form L2L VPN tunnels when using ESP-Null encryption |
show tech-support output can be confusing when there crashinfo, need to clean up/make more intuitive |
ASA does not use the interface specified in the name-server command to reach IPv6 DNS servers |
FTD Traceback and Reload on process LINA |
conf t is converted to disk0:/t under context-config mode |
ASA traceback due to SCTP traffic. |
ASA Traceback in Thread Name: DATAPATH-4-23199 in enic_put / FREEB when sending LU to statelink |
ASA traceback on DATAPATH when handling ICMP error message |
ASA/FTD Traceback and reload due to memory corruption when generating ICMP unreachable message |
ASA traceback and reload in SSH process when executing the command "show access-list" |
ASDM session count and quota management's count mismatch. 'Lost connection firewall' msg in ASDM |
IPV6 DNS PTR query getting modified on FTD |
SSL decryption not working due to single connection on multiple in-line pairs |
ASA log shows wrong value of the transferred data after the anyconnect session terminated. |
Traceback observed on ASA while handling SAML handler |
Deleting The Context From ASA taking Almost 2 Minutes with ikev2 tunnel |
FTD - Traceback in Thread Name: DATAPATH |
ASA/FTD Standby unit fails to join HA |
Inconsistent logging timestamp with RFC5424 enabled |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS |
OSPFv3: FTD Wrong "Forwarding address" added in ospfv3 database |
ASA/FTD traceback and reload caused by "timer services" function |
FTD 100G interfaces down after upgrade of FXOS and FTD to and 6.6.4 |
Primary ASA should send GARP as soon as split-brain is detected and peer becomes cold standby |
ASDM session/quota count mismatch in ASA when multiple context switchover is done from ASDM |
OSPFv2 flow missing cluster centralized "c" flag |
SSL VPN performance degraded and significant stability issues after upgrade |
Low available DMA memory on ASA 9.14 at boot considerably reduces AnyConnect sessions supported |
With object-group in crypto ACL sum of hitcnt mismatches with the individual elements |
Statelink hello messages dropped on Standby unit due to interface ring drops on high rate traffic |
ASA Privilege Escalation with valid user in AD |
ASA show tech execution causing spike on CPU and impacting to IKEv2 sessions |
NTP sync on IPV6 will fail if the IPV4 address is not configured |
FTD Deployment failure post upgrade due to major version change on device |
IP Address 'in use' though no VPN sessions |
Cisco ASA and FTD Software SSL/TLS Client Denial of Service Vulnerability |
BGP routes shows unresolved and dropping packet with asp-drop reason "No route to host" |
IPv6 PIM packets are dropped in ASP with invalid-ip-length drop reason |
Cisco ASA Software and FTD Software Remote Access SSL VPN Denial of Service |
AnyConnect users with mapped group-policies take attributes from default GP under the tunnel-group |
SNMP Stopped Responding After Upgrading to Version- 9.14(2)15 |
ASA Failover Split Brain caused by delay on state transition after "failover active" command run |
Cisco Firepower Threat Defense Software Denial of Service Vulnerability |
ASA/FTD traceback and reload on IKE Daemon Thread |
ASA/FTD: remove unwanted process call from LUA |
ASA drops non DNS traffic with reason "label length 164 bytes exceeds protocol limit of 63 bytes" |
Flow Offload - Compare state values remains in error state for longer periods |
Traffic dropped by ASA configured with BVI interfaces due to asp drop type "no-adjacency" |
FTD moving UI management from FDM to FMC causes traffic to fail |
"Error:NAT unable to reserve ports" when using a range of ports in an object service |
Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability |
ASA on FPR4100 traceback and reload when running captures using ASDM |
Random FTD traceback during deployment from FMC |
Traceback: Secondary firewall reloading in Threadname: fover_parse |
ASA/FTD traceback and reload due to pix_startup_thread |
FTD Service Module Failure: False alarm of "ND may have gone down" |
ASA/FTD Change in OGS compilation behavior causing boot loop |
Resolved Bugs in Version 9.14(3)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
ASA - rare cp processing corruption causes console lock |
HTTPS access on FTD data interface (off-box management) is failing |
ASA core blocks depleted when host unreachable in IRB/TFW configuration |
ASA running Traceback in threadname Unicorn Proxy Thread |
Input/Output interfaces in packet tracer RESULT are shown as "UNKNOWN" |
ASA : Traceback on tcp_intercept Thread name : Threat detection |
ASA: crypto session handles leak on the standby unit |
Traffic does not fallback to primary interface from crypto map when interface becomes available |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote |
ASAv failover traffic on SR-IOV interfaces might be dropped due to interface-down |
FXOS - Recover hwclock of service module from corruption due to simultaneous write collision |
Critical RPM alert on FRP 1000 and FPR2100 Series with ASA 'Chassis 0 Cooling Fan OK' SCH message |
ASA traceback with thread: idfw_proc |
ctm crashed while sending emix traffic over VTI tunnel |
Standby unit traceback at fover_parse and boot loop when detecting Active unit |
ASA traceback and reload during SSL handshake |
Traceback/Page-fault in Clientless WebVPN due to HTTP cleanup |
Ping Failure on ASAv - 9.13 after CAT9k reboot |
SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1 |
traceback: ASA reloaded lina_sigcrash+1394 |
ASA: Block new conns even when the "logging permit-hostdown" is set & TCP syslog is down |
FTD Lina engine may traceback in datapath after enabling SSL decryption policy |
Access Control Policy with time range object is not getting hit |
OSPF neighbourship is not establising |
ASA learning a new route removes asp route table created by floating static |
Traceback in threadname DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4 |
ASA traceback observed when "config-url" is entered while creating new context |
Netflow template not sent under certain circumstances |
ASAv Anyconnect users unexpectedly disconnect with reason: Idle Timeout |
After upgrade ASA swapped names for disks, disk0 became disk1 and vice versa. |
Intermittently after reboot, ADI can't join KCD |
Interface status may be mismatched between application and chassis due to missed update |
ASA still doesn't allow to poll internal-data0/0 counters via SNMP in multiple mode |
Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing probable traffic issue |
Removing static ipv6 route from management-only route table affects data traffic |
ASA Anyconnect url-redirect not working for ipv6 |
ASA/FTD: HA switchover doesn't happen with graceful reboot of firepower chassis |
Traceback Cluster unit on snpi_nat_xlate_destroy+2508 |
DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail |
ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user |
Snmp user fails on standby device after rejoing ha, after ha break. |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
ASA/FTD is reading BGP MP_REACH_NLRI attribute's next-hop bytes in reverse order |
ASA traceback and reload in fover_parse when attempting to join the failover pair. |
ASA dropping all traffic with reason "No route to host" when tmatch compilation is ongoing |
After modify network/service object name. mis-match will occur on hash value of ACL in syslog. |
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
ASA traceback and reload on inspect esmtp |
Inner flow: U-turn GRE flows trigger incorrect connection flow creation |
FTD does not try all the crl urls for getting crl file |
Inspect-snmp drops thru-the-box snmp paks if snmp is disabled |
ASA 9.12 random traceback and reload in DATAPATH |
Traffic to virtual IP address dropped on system context of Master ASA due to failed classification |
FTD stuck in Maintenance Mode after upgrade to 6.6.1 |
ASA traceback while modifying the bookmark SSL Ciphers configuration |
traceback: ASA reloaded snp_fdb_destroy_fh_callback+104 |
OSPF network commands go missing in the startup-config after upgrading the ASA |
Traceback due to fover and ssh thread |
Traceback leads to the purg_process |
ASA5555 traceback and reload on Thread Name: ace_work |
Traceback during SNMP traffic testing |
Unexpected traceback and reload on FTD creating a Core file |
ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process |
ASA cluster members 2048 block depletion due to "VPN packet redirect on peer" |
ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections across the tunnel |
DHCP-Proxy renewal timer is not started after failover |
ASA SNMPv3 Poll fails when using AES 256 |
ASA/FTD may traceback in thread name fover_FSM_thread and reload |
No deployment failure reason in transcript if 'show running-config' is running during deployment |
ASA/FTD: Mac address-table flap seen on connected switch after a HA switchover |
FTD 6.6 : High CPU spikes on snmpd process |
ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover. |
ASA/FTD debugs do not print clear failure reason when no proposal is chosen |
Secondary unit not able to join the cluster |
ASA traceback and reload due to VPN thread on firepower 2140 |
ASA will not import CA certificate with name constraint of RFC822Name set as empty |
ASA traceback cp_midpath_process_thread |
ASA duplicate MAC addresses in Shared Interfaces of different Contexts causing traffic impact |
Snort busy drops with PDTS Tx queue stuck |
ASA traceback and reload while executing "show tech-support" command |
Heapcache Memory depleting rapidly due to certificate chain failed validation |
ASA stale VPN Context seen for site to site and AnyConnect sessions |
Offloaded traffic not failed over to secondary route in ECMP setup |
ASA traceback in the LINA process |
Unable to remove non-used prefix-list object |
FTD traceback and reload on DATAPATH thread when processing encapsulated flows |
radius_rcv_auth can shoot up control plane CPU to 100%. |
Secondary unit stuck in Bulk sync infinitely due to interface of Primary stuck in init state |
ASA/FTD Traceback and reload in Thread Name: Logger |
TCP File transfer (Big File) not properly closed when Flow offload is enabled |
ASA syslog traceback while strncpy NULL string passed from SSL library |
ASA traceback and reload on Thread Name: ci/console |
Cisco ASA and FTD Software SIP Denial of Service Vulnerability |
IKEv2 with EAP, MOBIKE status fails to be processed. |
SNMP process crashed, resulting in Lina traceback |
ASA/FTD may traceback and reload due to memory corruption in SNMP |
Director/Backup flows are left behind and traffic related to this flow is blackholed |
ASASM traceback and reload after upgrade up to 9.12(4)4 and higher |
TACACS+ ASCII password change request not handled properly |
VPN syslogs are generated at a rate of 600/s until device goes into a hang state |
Ipsec Send Error Increasing When NTP Authenticate is Enabled |
| ASA on FPR2110 traceback and reloads randomly |
ASA/FTD Traceback and reload during PBR configuration change |
ASA: "class-default" class-map redirecting non-DNS traffic to DNS inspection engine |
ASAv snmp traceback on reload |
FTD: NLP path dropping return ICMP destination unreachable messages |
IPSec transport mode traffic corruption for inbound traffic for some FPR platforms |
DAP stopped working after upgrading the ASA to 9.13(1)13 |
ASA/FTD may traceback and reload during upgrade |
ASA/FTD traceback and reload in process name "Lina" |
IPv4 Default Tunneled Route Rejected |
RIP database not populated with SLA monitored static route that was re added in the routing table. |
FPR 4K: SSL trust-point removed from new active ASA after manual Failover |
ASA: AnyConnect sessions cannot be resumed due to ipv6 DACL failure |
Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability |
FTD/ASA HA: Standby Unit FXOS is still able to forward traffic even after failover due to traceback |
ASA Fails to process HTTP POST with SAML assertion containing multiple query parameters |
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability |
FPR-4150 - ASA traceback and reload with thread name DATAPATH |
IPv6 static routes not getting installed, upon changing ifc type management-only |
Name of anyconnect custom attribute of type dynamic-split-exclude-domains is changed after reload |
Connection issues to directly connected IP from FTD BVI address |
Standby/Secondary cluster unit might crash in Thread Name: fover_parse and "cluster config sync" |
ASA traceback and reload on engineering ASA build - |
ASA failing to sync with IPv6 NTP server |
ASA: Random L2TP users cannot access resources due to stale ACL filter entries |
Standby ASA linkdown SNMPtrap sent from standby interface with active IP address |
ASA traceback and reload in Thread: Ikev2 Daemon |
ASA traceback in IKE Daemon and reload |
ASA fails to process SAML assertion when tunnel-group name contains "." |
ASA: OpenSSL Vulnerability CVE-2020-1971 |
ASA Tracebacks when making "configuration session" changes regarding an ACL. |
BVI HTTP/SSH access is not working in versions or above |
FTD Firewall may traceback and reload when modifying ACLs |
Managed device backup fails, for FTD, if hostname exceeds 30 characters |
ASA traceback and reload on Thread name snmp_alarm_thread |
ASA traceback and reload webvpn thread |
ASA/FTD may traceback and reload during certificate changes. |
PPPOE - ASA sends CONFACK for non-configured protocol |
S2S traffic fails due to missing V routes after Primary cluster unit gets disabled |
ASA traceback and reload with Thread name: ssh when capture was removed |
Traceback in inspect_h323_ras+1810 |
ASA: VPN traffic does not pass if no dACL is provided in CoA |
ASA: dACL with no IPv6 entries is not applied to v6 traffic after CoA |
ASAv: SNMP result for used memory value incorrect after upgrade to 9.14 |
Traceback in Thread Name: Lic TMR |
Offload rewrite data needs to be fixed for identity nat traffic and clustering environment |
When SGT name is unresolved and used in ACE, line is not being ignored/inactive |
ASA reload is removing 'content-security-policy' config |
ASA may generate a traceback in Logger thread during configuration sync in HA |
Fail-to-wire ports in FPR 2100 flapping after upgrade to 6.6.1 |
ASA: default IPv6/IPv4 route tunneled does not work |
SNMP walk for v2 and v3 fails with No Such Object available on this agent at this OID is seen |
ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers reload |
Last transaction timestamp status "unknown" for active LDAP AAA server |
Not able to Advertise/Redistribute VXLAN/VNI interface subnet using EIGRP |
ASA may traceback and reload on thread Crypto CA |
Firepower 2110 silently dropping traffic with TFC enabled on the remote end |
ASA/FTD traceback in Thread Name: PTHREAD-4432 |
DHCP Proxy Offer is getting drop on the ASA/FTD |
FTD doesn't redirect packets to the WCCP web-cache engine when VRF's are configured |
ASA may traceback and reload in Thread Name 'webvpn_task' |
FPR-2100-ASA : SNMP Walk for ifType is showing "other" for ASA interfaces in the latest versions |
Prevent lina from traceback due to object loop sent by FMC. Fail the deployment instead. |
Deployment gets failed for snmp settings while deleting snmpv1 and adding snmpv3 at a time in 6.6.3 |
ASA/FTD may traceback in after changing snmp host-group object |
ASA/FTD Traceback and reload due to netflow refresh timer |
ASA traceback and reload during OCSP response data cleanup |
IKEv2 rekey - Invalid SPI for ESP packet using new SPI received right after Create_Child_SA response |
LINA silently drops packet if the MTU of the packet is of size > the MTU of egress interface |
X-Frame-Options header is not set in webvpn response pages |
ASA traceback & reload due to "show crashinfo" adding a new output log |
Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508 |
ASA traceback and reload due to strcpy_s: source string too long for dest |
FTD traceback and reload on process lina on FPR2100 series |
ASA: Unable to import PAC file if FIPS is enabled. |
Firewall CPU can increase after a bulk routing update with flow offload |
IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server |
ASA traceback and reload in ssl midpath |
ASA reload with FIPS failure |
Core-local block alloc failure on cores where CP is pinned leading to drops |
Concurrent modification of ACL configuration breaks output of "show running-config" completely |
FPR4150 ASA Standby Ready unit Loops to failed and remove config to install it again |
ASA EIGRP route stuck after neighbour disconnected |
FTD/ASA traceback in Thread Name : Unicorn Proxy Thread |
ASA/FTD Watchdog forced traceback and reload in Threadname: vnet-proxy (rip: socks_proxy_datarelay) |
X-Frame-Options header support for older versions of IE and windows platforms |
SSL Decrypted https flow EOF events showing 'Initiator/Responder' Packets as 0 |
Traceback in Thread Name: fover_health_monitoring_thread |
ASA traceback and reload in SNMP Notify Thread while deleting transparent context |
ASP capture dispatch-queue-limit shows no packets |
Deployment failures on FTD when multicast is enabled. |
FTD 6.6.1/6.7.0 is sending SNMP Ifspeed OID ( response value = 0 |
Smart Tunnel Code signing certifcate renewal |
COA Received before data tunnel comes up results in tear down of parent session |
Need comprehensive details in logs on what is stopping VPN load-balancing cluster formation |
ASA traceback and reload on Thread Name: CTM Daemon |
FPR2100: enable kernel panic on octeon for UE events to trigger crash |
ASA internal deadlock leads to loss of feature functionality (syslogs, reload, ASDM, anyconnect) |
ASA - unable to import CA certificate when countryName is encoded as UTF8 |
ASA responds with "00 00 00 00 00 00" when polling interface physical address using snmp |
ASA Traceback and reload in Thread Name: SNMP ContextThread |
ASA/FTD Traceback and reload in Thread Name: pix_startup_thread due to asa_run_ttyS0 script |
ASA: "ERROR: Unable to delete entries from Hash Table" with CSM |
Optimise ifmib polls |
Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 |
Re-transmitted SYN are not inspected by inspection engine |
ASA traceback while taking captures |
Traceback and reload due to Umbrella |
SNMP traps being sent out sourced with unexpected IP from the data interface |
ASA/FTD may traceback and reload when saving/writitng the configuration to memory |
Failover license count not synced to standby firewall. |
FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover |
ASA not replicating BGP password correctly to standby unit |
VPN Load Balancing may get stuck and disconnect from the group |
Secondary ASA could not get the startup configuration |
Supportive change in ASA to differentiate, new ASDM connections from existing ASDM context switch |
ASA crashes when copying files with long destination filenames using cluster command |
Traceback on FPR 4115 in Thread - Lic HA Cluster |
ASA/FTD tracebacks due to CTM message handler |
improve debugging capability for uauth |
AnyConnect certificate authentication fails if user certificate has 8192 bits key size |
ASA traceback when re-configuring access-list |
Port-forwarding application blocked by Java |
REST API Login Page Issue |
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815' |
Resolved Bugs in Version 9.14(2)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
TCM doesn't work for ACE addition/removal, ACL object/object-group edits |
ASA/FTD traceback and reload in Thread Name: SXP CORE |
"show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs |
ASA traceback and reload due to tcp_retrans_timeout internal thread handling |
[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches |
ASA traceback and reload on Thread Name SSH |
AAA requests on FTD not following V-routes learned from RRI |
AnyConnect and Management Sessions fail to connect after several weeks |
ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA |
ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22 |
RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted |
ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec' |
ASA traceback and reload multiple times with trace "webvpn_periodic_signal" |
Lina traceback when changing device mode of FTD |
FP2100: Traceback and reload when processing traffic through more than two inline sets |
After upgrade to version is not possible to add an access-group |
Inconsistent timestamp format in syslog |
ASA5506 to the box icmp request packets intermittently dropped |
ASA Traceback Due to Umbrella Inspection |
ICMP Reply Dropped when matched by ACL |
ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
ASDM session being abruptly terminated when switching between different contexts |
FPR1010 temperature thresholds should be changed |
ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical interface |
ASA/Lina Offloaded TCP flows interrupted if TCP sequence number randomizer is enabled and SACK used |
ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection |
"dns server-group DefaultDNS" cli not getting negated |
vFTD not able to pass vlan tagged traffic (trunk mode) |
Calls fail once anyconnect configuration is added to the site to site VPN tunnel |
ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed by inspection |
Port-channel bundling is failing after upgrade to 9.8 version |
ASA/FTD may traceback and reload in Thread Name 'License Thread' |
FTD Traceback Lina process |
Reduce number of fsync calls during close in flash file system |
ASA/FTD traceback and reload due to memory leak in SNMP community string |
Deployment is marked as success although LINA config was not pushed |
Cisco Firepower Threat Defense Software Inline Pair/Passive Mode DoS Vulnerability |
Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability |
SCTP heartbeats failing across the firewall in Cluster deploymnet. |
IPv6 DNS server resolution fails when the server is reachable over the management interface. |
Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169) |
Incorrect access-list hitcount seen when configuring it with a capture on ASA |
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
ASA/FTD may traceback and reload in Thread Name 'ssh' |
ASA: Traceback in thread Unicorn Admin Handler |
ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry |
Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
IPv6 Nat rejected with error "overlaps with inside standby interface address" for Standalone ASA |
FTD Traceback in thread 'ctm_ipsec_display_msg' |
Health-check monitor-interface debounce-time in ASA Cluster resets to 9000ms after ASA reboot |
VPN failover recovery is taking approx. 30 seconds for data to resume |
FTD: Traceback and reload related to lina_host_file_open_raw function |
ASAv Unable to register smart licensing with IPv6 |
Active FTP fails when secondary interface is used on FTD |
Observed traceback on 2100 while performing Failover Switch from Standby. |
sctp-state-bypass is not getting invoked for inline FTD |
FPR2100 - ASA in Appliance Mode - SNMP Delay |
IPSec SAs are not being created for random VPN peers |
Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train |
Multi-context ASA/LINA on FPR not sending DHCP release message |
Erase disk0 on ISA3000 causes file system not supported |
ASA:BVI interface of standby unit stops responding after reload |
Dynamic RRI route is not destroyed when IKEv2 tunnel goes down |
Pad packets received from RA tunnel which are less than or equal 46 bytes in length with zeros |
Crypto ring stalls when the length in the ip header doesn't match the packet length |
ASA LDAPS connection fails on Firepower 1000 Series |
FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto |
Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI |
Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008 |
PKI-CRL: Memory Leak on Download and Clear Large CRL |
PKI-CRL: Memory Leak on Download Large CRL in loop without clearing it |
Fragmented packets forwarded to fragment owner are not visible on data interface captures |
Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56 |
ASA traceback Thread name - webvpn_task |
ASA5585 traceback and reload after upgrading SFR from 6.4.0 to |
LINA cores are generated when FTD is configured to do SSL decryption. |
FTD manual certificate enrollment fails with "&" (ampersand) in Organisation subject field |
ASA on multicontext mode, deleting a context does not delete the SSH keys. |
ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process |
remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around |
ASA is sending failover interface check control packets with a wrong destination mac address |
Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability |
"Show crypto accelerator load-balance detail" has missing and undefined output |
Route Fallback doesn't happen on Slave unit, upon RRI route removal. |
NetFlow reporting impossibly large flow bytes |
FTD traceback and reload on thread "IKEv2 Mgd Timer Thread" |
Adjust Firepower 4120 Maximum VPN Session Limit to 20,000 |
ASA: acct-session-time accounting attribute missing from Radius Acct-Requests for AnyConnect |
"clear configure access-list" on ACL used for vpn-filter breaks access to resources |
TACACS Fallback authorization fails for Username enable_15 on ASA device. |
FTD traceback and reload on FP2120 LINA Active Box. VPN |
Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100 |
The syslog message 201008 should include reason of drop when TCP server is down |
ASA traceback and reload for the CLI "show asp table socket 18421590 det" |
WebVPN rewriter fails to parse data from SAP Netweaver. |
Unable to access anyconnect webvpn portal from google chrome using group-url |
SNMP traps can't be generated via diagnostic interface |
ASA traceback and reload with thread name coa_task |
Connectivity over the state link configured with IPv6 addresses is lost after upgrading the ASA |
ASA should allow null sequence encoding in certificates for client authentication. |
Certificate mapping for AnyConnect on FTD stops working. |
SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1 |
ASAv on AWS BYOL image cannot be enabled for PLR |
IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions |
tsd0 not reset when ssh quota limit is hit in ci_cons_shell |
Traceback: Modifying FTD inline-set tap-mode configuration with active traffic |
AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting |
Device loses ssh connectivity when username and password is entered |
FPR2100: ASA console may hang & become unresponsive in low memory conditions |
ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS |
aaa-server configuration missing on the FTD after a Remote Access VPN policy deployment |
cert map to specify CRL CDP Override does not allow backup entries |
ASAv - Traceback and reload on SNMP process |
Timestamp format will be shown always in UTC |
Lina cores on multi-instance causing a boot loop on both logical-devices |
FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload |
ASA on QP platforms display wrong coredump filesystem space (50 GB) |
DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently. |
FTD Inline-set bridge group ID set to 0 with tap-mode off |
ASA traceback and reload on function snmp_master_callback_thread |
Slave unit might fail to synchronize SCTP configuration from the cluster master after bootup |
ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN |
HKT - Failover time increases with upgrade to |
ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread |
Current connection count is negative on 'show service policy' when connection limit is set in MPF |
FTD failover units traceback and reload on DATAPATH |
ASA generated a traceback and reloaded when changing the port value of a manual nat rule |
Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available. |
FTD traceback & reload on thread name : CP processing |
ASA interface ACL dropping snmp control-plane traffic from ASA |
WebVPN SSO Gives Unexpected Results when Integrated with Kerberos |
Scheduled Backup failing over SCP via EEM |
ASA: Lack of specific syslog messages to external IPv6 logging server after ASA upgrade |
Traceback observed while performing master role change with active IGMP joins |
ASA Crashes in SNMP while joining the cluster when key config-key password-encryption" is present |
SSH keys lost in ASA after reload |
%ASA-3-737403 is used incorrectly when vpn-addr-assign local reuse-delay is configured |
Memory leak: due to resource-limit MIB handler, eventually causing reload |
FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry |
ASA traceback in Thread Name kerberos_recv |
ASA traceback and reload with Flow lookup calling traceback |
ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS |
ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA |
FTD Lina traceback in datapath due to double free |
ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread" |
GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope |
ASA traceback in threadname 'ppp_timer_thread' |
ASA experienced a traceback and reloaded |
ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message |
[PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup unnecessarily |
FMC pushes certificate map incorrectly to lina |
FTD - Connection idle timeout doesn't reset |
ASA traceback after TACACS authorized user made configuration changes |
Display RADIUS port representation as little-endian instead of big-endian |
FTD: Snort policy changes deployed to a HA on failed state are not fully synced |
ASA high CPU with intel_82576_check_link_thread impacting on overall unit performance |
FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks |
IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599 |
Embryonic connections limit does not work consistently |
CTS SGT propagation gets enabled after reload |
Cluster / aaa-server key missing after "no key config-key" is entered |
ASA: Automatic DENY rule applied in multiple contexts due to the use of the dhcp-network-scope |
ASA traceback and reload on thread name DATAPATH |
AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently |
DSCP values not preserved in DTLS packets towards AnyConnect users |
FTD: Traceback and reload when changing capture buffer options on a already applied capture |
ASA unable to delete ACEs with remarks and display error "Specified remark does not exist" |
Cannot change (modify) interface speed after upgrade |
Snmp stops responding. CLI returns: Unable to honour this request now. |
The drop rate in show interface for inline sets is incorrect |
Dynamic routing protocols summary route not being replicated to standby |
ASA drops GTPV1 Forward relocation Request message with Null TEID |
ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread |
Native VPN client with EAP-TLS authentication fails to connect to ASA |
FTD in TAP mode won't capture on egress interfaces |
ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set correctly |
ASA 'session sfr' command disconnects from FirePOWER module for initial setup |
Multicast traffic is being dropped with the resson no-mcast-intrf |
Multicast EIGRP traffic not seen on internal FTD interface |
ASA learning a new route removes asp route table created by floating static |
Cluster site-specific MAC addresses not rewritten by flow-offload |
Stale VPN routes for L2TP, after the session was terminated |
Lina Traceback during FTD deployment when WCCP config is being pushed |
SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns noSuchObject |
ASA gets frozen after crypto engine failure |
Netflow template not sent under certain circumstances |
WEBVPN: ERROR: Invalid tunnel group name on Multi-Context ASA |
Observed traceback in FPR2130 while running webVPN, SNMP related traffic. |
ASA traceback and reload unexpectedly on "Process Name: lina" |
ASA: Watchdog Traceback and reload on SNMP functions with syslog traps |
ASA Traceback and reload on thread name Crypto CA |
Rate-limit syslogs 780001/780002 by default on ASA |
SNMP: Memory leak in VPN polling |
Lina traceback and reload seen on trying to switch peer on KP HA with 6.6.1-63 |
Intermittently embedded ping reply over GRE drops on FTD cluster if traffic passes asymmetrically. |
ASA traceback when running show asp table classify domain permit |
snmpwalk for OID on ISA 3000 returning value of 0 for .16 and .17 |
ASA IKEv2 VTI - Failed to request SPI from CTM as responder |
ASA: Extended downtime after reload after CSCuw51499 fix |
ASA logging rate-limit 1 5 message ... limits to 1 message in 10 seconds instead of 5 |
ASA silently dropping OSPF LS Update messages from neighbors |
ASA stops processing RIP packets after system upgrade |
'show sctp' command is unavailable when carrier license is out of compliance |
Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows |
ASAv5 reloads without traceback. |
Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection |
ASA traceback and reload when running Packet Tracer commands |
ASA: ACL compilation takes more time on standby |
WebSSL clientless user accounts being locked out on 1st bad password |
ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki global table in MTX |
FTD stuck in Maintenance Mode after upgrade to 6.6.1 |
ASA/FTD may traceback and reload due to memory corruption in SNMP |
ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user |
Resolved Bugs in Version 9.14(1.30)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
ASA/FTD traceback and reload in Thread Name: SXP CORE |
Stuck uauth entry rejects AnyConnect user connections |
"show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs |
ASA traceback and reload due to tcp_retrans_timeout internal thread handling |
[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches |
ASA traceback and reload on Thread Name SSH |
AnyConnect and Management Sessions fail to connect after several weeks |
FPR 2100, low block 9472 causes packet loss through the device. |
ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA |
ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22 |
RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted |
ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec' |
ASA traceback and reload multiple times with trace "webvpn_periodic_signal" |
Lina traceback when changing device mode of FTD |
FP2100: Traceback and reload when processing traffic through more than two inline sets |
After upgrade to version is not possible to add an access-group |
Inconsistent timestamp format in syslog |
ASA Traceback Due to Umbrella Inspection |
ICMP Reply Dropped when matched by ACL |
ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
FPR1010 temperature thresholds should be changed |
ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical interface |
ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection |
Calls fail once anyconnect configuration is added to the site to site VPN tunnel |
Port-channel bundling is failing after upgrade to 9.8 version |
ASA/FTD may traceback and reload in Thread Name 'License Thread' |
Reduce number of fsync calls during close in flash file system |
ASA/FTD traceback and reload due to memory leak in SNMP community string |
Deployment is marked as success although LINA config was not pushed |
| snp_cluster_ingress traceback on FPR9300 3-node cluster nested VLAN traffic |
Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability |
IPv6 DNS server resolution fails when the server is reachable over the management interface. |
Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169) |
Incorrect access-list hitcount seen when configuring it with a capture on ASA |
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
ASA/FTD may traceback and reload in Thread Name 'ssh' |
ASA: Traceback in thread Unicorn Admin Handler |
FTD Traceback in thread 'ctm_ipsec_display_msg' |
VPN failover recovery is taking approx. 30 seconds for data to resume |
FTD: Traceback and reload related to lina_host_file_open_raw function |
ASAv Unable to register smart licensing with IPv6 |
Active FTP fails when secondary interface is used on FTD |
sctp-state-bypass is not getting invoked for inline FTD |
FPR2100 - ASA in Appliance Mode - SNMP Delay |
Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train |
Multi-context ASA/LINA on FPR not sending DHCP release message |
Erase disk0 on ISA3000 causes file system not supported |
Dynamic RRI route is not destroyed when IKEv2 tunnel goes down |
Pad packets received from RA tunnel which are less than or equal 46 bytes in length with zeros |
Crypto ring stalls when the length in the ip header doesn't match the packet length |
ASA LDAPS connection fails on Firepower 1000 Series |
FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto |
Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI |
Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008 |
Fragmented packets forwarded to fragment owner are not visible on data interface captures |
Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56 |
ASA traceback Thread name - webvpn_task |
ASA5585 traceback and reload after upgrading SFR from 6.4.0 to |
LINA cores are generated when FTD is configured to do SSL decryption. |
ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process |
remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around |
ASA is sending failover interface check control packets with a wrong destination mac address |
ASA may traceback and unexpectedly reload after SSL handshake |
Route Fallback doesn't happen on Slave unit, upon RRI route removal. |
NetFlow reporting impossibly large flow bytes |
FTD traceback and reload on thread "IKEv2 Mgd Timer Thread" |
Adjust Firepower 4120 Maximum VPN Session Limit to 20,000 |
FTD traceback and reload on FP2120 LINA Active Box. VPN |
Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100 |
ASA traceback and reload for the CLI "show asp table socket 18421590 det" |
Unable to access anyconnect webvpn portal from google chrome using group-url |
SNMP traps can't be generated via diagnostic interface |
ASA traceback and reload with thread name coa_task |
Connectivity over the state link configured with IPv6 addresses is lost after upgrading the ASA |
ASA should allow null sequence encoding in certificates for client authentication. |
Certificate mapping for AnyConnect on FTD stops working. |
ASAv on AWS BYOL image cannot be enabled for PLR |
IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions |
tsd0 not reset when ssh quota limit is hit in ci_cons_shell |
Traceback: Modifying FTD inline-set tap-mode configuration with active traffic |
AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting |
Device loses ssh connectivity when username and password is entered |
FPR2100: ASA console may hang & become unresponsive in low memory conditions |
ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS |
aaa-server configuration missing on the FTD after a Remote Access VPN policy deployment |
cert map to specify CRL CDP Override does not allow backup entries |
ASAv - Traceback and reload on SNMP process |
Timestamp format will be shown always in UTC |
Lina cores on multi-instance causing a boot loop on both logical-devices |
FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload |
ASA on QP platforms display wrong coredump filesystem space (50 GB) |
DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently. |
ASA traceback and reload on function snmp_master_callback_thread |
Slave unit might fail to synchronize SCTP configuration from the cluster master after bootup |
ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN |
HKT - Failover time increases with upgrade to |
ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread |
FTD failover units traceback and reload on DATAPATH |
ASA generated a traceback and reloaded when changing the port value of a manual nat rule |
Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available. |
FTD traceback & reload on thread name : CP processing |
ASA interface ACL dropping snmp control-plane traffic from ASA |
WebVPN SSO Gives Unexpected Results when Integrated with Kerberos |
ASA: Lack of specific syslog messages to external IPv6 logging server after ASA upgrade |
Traceback observed while performing master role change with active IGMP joins |
ASA Crashes in SNMP while joining the cluster when key config-key password-encryption" is present |
SSH keys lost in ASA after reload |
ASA inconsistent behavior with DNS doctoring |
Memory leak: due to resource-limit MIB handler, eventually causing reload |
FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry |
ASA traceback in Thread Name kerberos_recv |
ASA traceback and reload with Flow lookup calling traceback |
ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS |
ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA |
FTD Lina traceback in datapath due to double free |
ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread" |
GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope |
ASA traceback in threadname 'ppp_timer_thread' |
ASA experienced a traceback and reloaded |
ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message |
[PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup unnecessarily |
FMC pushes certificate map incorrectly to lina |
ASA traceback after TACACS authorized user made configuration changes |
FTD: Snort policy changes deployed to a HA on failed state are not fully synced |
ASA high CPU with intel_82576_check_link_thread impacting on overall unit performance |
FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks |
IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599 |
Embryonic connections limit does not work consistently |
Cluster / aaa-server key missing after "no key config-key" is entered |
Deployment failure after configure sub-interfaces on POE enabled interfaces |
ASA traceback and reload on thread name DATAPATH |
AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently |
DSCP values not preserved in DTLS packets towards AnyConnect users |
FTD: Traceback and reload when changing capture buffer options on a already applied capture |
ASA unable to delete ACEs with remarks and display error "Specified remark does not exist" |
Cannot change (modify) interface speed after upgrade |
EIGRP summary route not being replicated to standby and causing outage after switchover |
ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread |
Native VPN client with EAP-TLS authentication fails to connect to ASA |
ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set correctly |
ASA 'session sfr' command disconnects from FirePOWER module for initial setup |
Multicast traffic is being dropped with the resson no-mcast-intrf |
Multicast EIGRP traffic not seen on internal FTD interface |
Cluster site-specific MAC addresses not rewritten by flow-offload |
Stale VPN routes for L2TP, after the session was terminated |
Lina Traceback during FTD deployment when WCCP config is being pushed |
SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns noSuchObject |
ASA gets frozen after crypto engine failure |
Netflow template not sent under certain circumstances |
Observed traceback in FPR2130 while running webVPN, SNMP related traffic. |
ASA traceback and reload unexpectedly on "Process Name: lina" |
ASA: Watchdog Traceback and reload on SNMP functions |
ASA Traceback and reload on thread name Crypto CA |
Rate-limit syslogs 780001/780002 by default on ASA |