Release Notes for the Cisco ASA Series, 9.15(x)

This document contains release information for Cisco ASA software Version 9.15(x).

Important Notes

  • No support in ASA 9.15(1) and later for the ASA 5525-X, ASA 5545-X, and ASA 5555-X—ASA 9.14(x) is the last supported version. For the ASA FirePOWER module, the last supported version is 6.6.

  • Cisco announces the feature deprecation for Clientless SSL VPN effective with ASA version 9.17(1)—Limited support will continue on releases prior to 9.17(1).

  • For the Firepower 1010, invalid VLAN IDs can cause problems—Before you upgrade to 9.15(1), make sure you are not using a VLAN for switch ports in the range 3968 to 4047. These IDs are for internal use only, and 9.15(1) includes a check to make sure you are not using these IDs. For example, if these IDs are in use after upgrading a failover pair, the failover pair will go into a suspended state. See CSCvw33057 for more information.

  • Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • SAMLv1 feature deprecation—Support for SAMLv1 is deprecated.

  • Low-Security Cipher Removal in ASA 9.15(1)—Support for the following less secure ciphers used by IKE and IPsec have been removed:

    • Diffie-Hellman groups: 2 and 24

    • Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256, NULL, ESP-3DES, ESP-DES, ESP-MD5-HMAC

    • Hash algorithms: MD5


    Low-security SSH and SSL ciphers have not yet been removed.

    Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:

    • The command will use the default cipher.

    • The command will be removed.

    Fixing your configuration before upgrading is especially important for clustering or failover deployments. For example, if the secondary unit is upgraded to 9.15(1), and the removed ciphers are synced to this unit from the primary, then the secondary unit will reject the configuration. This rejection might cause unexpected behavior, like failure to join the cluster.

    IKEv1: The following subcommands are removed:

    • crypto ikev1 policy priority:

      • hash md5

      • encryption 3des

      • encryption des

      • group 2

    IKEv2: The following subcommands are removed:

    • crypto ikev2 policy priority:

      • prf md5

      • integrity md5

      • group 2

      • group 24

      • encryption 3des

      • encryption des

      • encryption null

    IPsec: The following subcommands are removed:

    • crypto ipsec ikev1 transform-set name esp-3des esp-des esp-md5-hmac

    • crypto ipsec ikev2 ipsec-proposal name

      • protocol esp integrity md5

      • protocol esp encryption 3des aes-gmac aes-gmac- 192 aes-gmac -256 des

    • crypto ipsec profile name

      • set pfs group2 group24

    Crypto Map: The following subcommands are removed:

    • crypto map name sequence set pfs group2

    • crypto map name sequence set pfs group24

    • crypto map name sequence set ikev1 phase1-mode aggressive group2

  • Re-introduction of CRL Distribution Point configuration—The static CDP URL configuration option, that was removed in 9.13(1), was re-introduced in the match-certificate command.

  • Restoration of bypass certificate validity checks option—The option to bypass revocation checking due to connectivity problems with the CRL or OCSP server was restored.

    The following subcommands were restored:

    • revocation-check crl none

    • revocation-check ocsp none

    • revocation-check crl ocsp none

    • revocation-check ocsp crl none

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


New, changed, and deprecated syslog messages are listed in the syslog message guide.

New Features in ASA 9.15(1)

Released: November 2, 2020



Platform Features

ASAv for the Public Cloud

We introduced the ASAv for the following Public Cloud offerings:

  • Oracle Cloud Infrastrucure (OCI)

  • Google Cloud Platform (GCP)

No modified commands.

ASAv support for Autoscale

The ASAv now supports Autoscale for the following Public Could offerings:

  • Amazon Web Services (AWS)

  • Miscrosoft Azure

Autoscaling increases or decreases the number of ASAv application instances based on capacity requirements.

No modified commands.

ASAv for Microsoft Azure support for Accelerated Networking (SR-IOV).

The ASAv on the Microsoft Azure Public Cloud now supports Azure's Accelerated Networking (AN), which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

No modified commands.

Firewall Features

Changes to PAT address allocation in clustering. The PAT pool flat option is now enabled by default and it is not configurable.

The way PAT addresses are distributed to the members of a cluster is changed. Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the master instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT. Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally included the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address.

As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1023 - 65535. Previously, you could optionally use a flat range by including the flat keyword in a PAT pool rule. The flat keyword is no longer supported: the PAT pool is now always flat. The include-reserve keyword, which was previously a sub-keyword to flat , is now an independent keyword within the PAT pool configuration. With this option, you can include the 1 - 1023 port range within the PAT pool.

Note that if you configure port block allocation (the block-allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster.

New/Modified commands: nat , show nat pool

XDMCP inspection disabled by default in new installations.

Previously, XDMCP inspection was enabled by default for all traffic. Now, on new installations, which includes new systems and reimaged systems, XDMCP is off by default. If you need this inspection, please enable it. Note that on upgrades, your current settings for XDMCP inspection are retained, even if you simply had it enabled by way of the default inspection settings.

High Availability and Scalability Features

Disable failover delay

When you use bridge groups or IPv6 DAD, when a failover occurs the new active unit waits up to 3000 ms for the standby unit to finish networking tasks and transition to the standby state. Then the active unit can start passing traffic. To avoid this delay, you can disable the waiting time, and the active unit will start passing traffic before the standby unit transitions.

New/Modified commands: failover wait-disable

Routing Features

Multicast IGMP interface state limit raised from 500 to 5000

The multicast IGMP state limit per interface was raised from 500 to 5000.

New/Modified commands: igmp limit

Also in 9.12(4).

Interface Features

DDNS support for the web update method

You can now configure an interface to use DDNS with the web update method.

New/Modified commands: show ddns update interface , show ddns update method , web update-url , web update-type

Certificate Features

Modifications to Match Certificate commands to support static CRL Distribution Point URL

The static CDP URL configuration commands allowed CDPs to be mapped uniquely to each certificate in a chain that is being validated. However, only one such mapping was supported for each certificate. This modification allows statically configured CDPs to be mapped to a chain of certificates for authentication.

New/Modified commands: match certificate override cdp ,

Administrative and Troubleshooting Features

Manual import of node secret file from the RSA Authentication Manager for SDI AAA server groups.

You can import the node secret file that you export from the RSA Authentication Manager for use with SDI AAA server groups.

We added the following commands: aaa sdi import-node-secret , clear aaa sdi node-secret , show aaa sdi node-secrets .

show fragment command output enhanced

The output for show fragment command was enhanced to include IP fragment related drops and error counters.

No modified commands.

show tech-support command output enhanced

The output for show tech-support command was enhanced to include the bias that is configured for the crypto accelerator. The bias value can be ssl, ipsec, or balanced.

No modified commands.

Monitoring Features

Support to configure cplane keepalive holdtime values

Due to communication delays caused by high CPU usage, the response to the keepalive event fails to reach ASA, resulting in trigerring failover due to card failure. You can now configure the keepalive timeout period and the maximum keepalive counter value to ensure sufficient time and retries are given.

New/Modified commands: service-module

VPN Features

Support for configuring the maximum in-negotiation SAs as an absolute value

You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed.

New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value

Also in 9.12(4).

Cross-Site Request Forgery (CSRF) Vulnerabilities Prevention for WebVPN Handlers

ASA provides protection against CSRF attacks for WebVPN handlers. If a CSRF attack is detected, a user is notified by warning messages. This feature is enabled by default.

Kerberos server validation for Kerberos Constrained Delegation (KCD).

When configured for KCD, the ASA initiates an AD domain join with the configured server in order to acquire Kerberos keys. These keys are required for the ASA to request service tickets on behalf of clientless SSL VPN users. You can optionally configure the ASA to validate the identity of the server during domain join.

We modified the kcd-server command to add the validate-server-certificate keyword.

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • ASDM: Choose Home > Device Dashboard > Device Information.

  • CLI: Use the show version command.

This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.


Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.


For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.


ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2(x) was the final version for the ASA 5505.

ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.

Current Version

Interim Upgrade Version

Target Version


Any of the following:

→ 9.15(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)


Any of the following:

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

→ 9.14(x)


→ 9.8(x)

→ 9.1(7.4)


→ 9.1(2)

Any of the following:

→ 9.14(x)


→ 9.8(x)

→ 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.14(x)


→ 9.8(x)

→ 9.6(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:

→ 9.14(x)


→ 9.8(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:

→ 9.14(x)


→ 9.8(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:


→ 9.8(x)

→ 9.1(7.4)


Any of the following:


→ 9.8(x)

→ 9.1(7.4)

→ 9.0(4)

8.4(1) through 8.4(4)

→ 9.0(4)


→ 9.8(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:


→ 9.8(x)

→ 9.1(7.4)

8.2(x) and earlier

→ 9.0(4)

Any of the following:


→ 9.8(x)

→ 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


You must have a account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.15(x)

The following table lists select open bugs at the time of this Release Note publication.

Caveat ID Number



ASA - rare cp processing corruption causes console lock


ASA : Traceback on tcp_intercept Thread name : Threat detection


6.4.0-102 2140 w/ SSL policy runs out of 1550 and 9472 blocks. doesn't recover


ASA traceback when running "no threat-detection statistics tcp-intercept" command


ASA/Lina traceback in DATAPATH


Using EEM on ASA may cause HA pair to reload when resources are depleted.


ASA traceback with thread: idfw_proc


ASA:Not replicating specific configuration to standby ASA when copying config file to the active ASA


2100: incoming packets dropped due to "no buffer" and outgoing packets leading to block depletion


Internal1/1 data interface goes down without any reason or logs.


snort-busy counter incrementing while snort cpu less than 40%


ASA: Unexpected traceback and reload due to DRBG health check failure


FTD with RAVPN and sysopt connection permit-vpn, stops working when adding a monitor rule


Intermittently after reboot, ADI can't join KCD


Clear crypto ipsec sa inactive command not deleting outbound SAs


Failover: standby unit crashed during modifying access-lists, with high CPU utilization


6.7.0-1992: SSL info is not populated in the FMC connection events page


Improper ordering of context between primary and secondary ASA units in multi-context mode


Crypto engine errors when GRE header protocol field doesn't match protocol field in inner ip header


DAP - No Client Certificate information is passed to DAP


SNMP traps not generated on FP 2100 after changing from platform to appliance mode on


ISA-3000 hardware-bypass behavior is not changed after write erase


ASA/FTD may traceback and reload in Thread Name 'IKE Daemon'


ASA traceback while modifying the bookmark SSL Ciphers configuration


ASA 256 and 1550 block depletion causes DMA Memory unreleased allocation


OSPF network commands go missing in the startup-config after upgrading the ASA


ASA should use IPv4 for OCSP as a fallback method because IPv6 is not supported


ASA not closing connections associated with terminated S2S connection


Static routes not replicating to Standby Unit.


FPR-2110 traceback with crypto_pki traceback


SOF seen after EOF for a connection without any further packets


ASA5555 traceback and reload on Thread Name: ace_work


ASA traceback "Address not mapped" "periodic_handler_internal"


ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process


SSL VPN connection failed to establish when the counter of active session reaching a certain value


ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover.


ASA5516 9.12.3 crash and reboot for the active unit (Octeon crash)


Secondary unit not able to join the cluster


Large object-group config with increased control point CPU usage can lead to config sync failure


ASA traceback and reload due to VPN thread on firepower 2140


Fragments in Q-in-Q frames are dropped by lina when using inline set


ASA is getting traceback and reload frequently due to memory corruption


ASA will not import CA certificate with name constraint of RFC822Name set as empty


Duplicate MAC Addresses in Shared Interfaces of Contexts


FTD/HA: "no shutdown" command disappear from running-config of standby


FTD Traceback On appAgent_hb_receiver_thread


Stale VPN Context seen for AnyConnect IKEv2 sessions


AnyConnect client-to-client communication (Cisco IP Phone Calls) blocked after upgrade to 9.12(4)


ASA traceback and reload on NTP thread triggered watch dog


ASAv traceback and reload in thread name Pthread on version 9.12(3)9


Heapcache Memory depleting rapidly due to certificate chain failed validation


IKEv1 Phase 2 incorrectly hits deny statement of crypto ACL


FPR1k ASA stops passing traffic when a member of the port-channel is down


Offloaded UDP traffic not failed over to secondary route in ECMP setup


Redirect failure for Chrome Popups when using bookmark for clientless VPN


ASA memory usage stays at 100%.


WebVPN: Not able to open the WebVPN portal


ASA long CPU hogs caused by "Crypto CA" process


ASA traceback in the LINA process


FP2100 traceback observed in IKE daemon


OSPF Database don't reflect RIB changes


Enabling Jumbo frames on the ASA 5508 causes low DMA memory issues


ASA Traceback and reload on SNMP functions


ASA/FTD Traceback and reload in Thread Name: Logger


vpn_putuauth: ERR: uxlate collision for ip x.x.x.x user xxxxx on interface outside.


FTP File transfer (Big File) not properly closed when Flow offload is enabled


ASA Traceback in thread name: DATAPATH


ASA traceback and reload on Thread Name: ci/console


IKEv2 with EAP, MOBIKE status fails to be processed.


H323 Inspection not natting the Media server IP embedded in FacilityOpenLocgicalChannel packet


Unable to access SAP portal hyperlinks over webvpn only from the Google Chrome


ASA WM 1010: FXOS_PARSER_ERROR: curl return with error code:401 invalid IDs

Resolved Bugs in Version 9.15(1)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number



ASA: crypto session handles leak on the standby unit


Traffic does not fallback to primary interface from crypto map when interface becomes available


Standby unit traceback at fover_parse and boot loop when detecting Active unit


Ping Failure on ASAv - 9.13 after CAT9k reboot


SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1


traceback: ASA reloaded lina_sigcrash+1394


ASA: Block new conns even when the "logging permit-hostdown" is set & TCP syslog is down


Traceback in threadname DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4


After upgrade ASA swapped names for disks, disk0 became disk1 and vice versa.


Interface status may be mismatched between application and chassis due to missed update


ASA still doesn't allow to poll internal-data0/0 counters via SNMP in multiple mode


Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing probable traffic issue


Removing static ipv6 route from management-only route table affects data traffic


ASA Anyconnect url-redirect not working for ipv6


Traceback Cluster unit on snpi_nat_xlate_destroy+2508


DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail


ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user


ASA/FTD is reading BGP MP_REACH_NLRI attribute's next-hop bytes in reverse order


ASA traceback and reload in fover_parse when attempting to join the failover pair.


ASA dropping all traffic with reason "No route to host" when tmatch compilation is ongoing


After modify network/service object name. mis-match will occur on hash value of ACL in syslog.


Inner flow: U-turn GRE flows trigger incorrect connection flow creation


FTD stuck in Maintenance Mode after upgrade to 6.6.1


ASA cluster members 2048 block depletion due to "VPN packet redirect on peer"


DHCP-Proxy renewal timer is not started after failover