Release Notes for the Cisco ASA Series, 9.5(x)
First Published: 2015-08-31
Last Modified: 2017-04-17
Release Notes for the Cisco ASA Series, 9.5(x)
This document contains release information for Cisco ASA software Version 9.5(x).
Important Notes
• Potential Traffic Outage (9.5(3) through 9.5(3.6))—Due to bug CSCvd78303, the ASA may stop passing
traffic after 213 days of uptime. The effect on each network will be different, but it could range from
an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new
version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213
days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions
and more information.
• E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s,
pop3s, smtps) and subcommands are no longer supported.
• CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image,
show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan
image) are no longer supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan
image migrates to hostscan image.
• Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands
(override-account-disable, authentication crack) are no longer supported.
• The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes
differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name
Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates
with an OU field name of 60 characters. Because of this difference, certificates that can be imported in
ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA
running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
Release Notes for the Cisco ASA Series, 9.5(x)
1
Release Notes for the Cisco ASA Series, 9.5(x)
ASA and ASDM Compatibility
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module
compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note
New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in ASA 9.5(3.9)/ASDM 7.6(2)
Released: April 11, 2017
Note
Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.
Feature
Description
Remote Access Features
Configurable SSH encryption and
HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure
HMAC and encryption for varying key exchange algorithms. You might want to change the
ciphers to be more or less strict, depending on your application. Note that the performance of
secure copy depends partly on the encryption cipher used. By default, the ASA negotiates
one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc
aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then
the performance is much slower than a more efficient algorithm such as aes128-cbc. To change
the proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen: Configuration > Device Management > Advanced >
SSH Ciphers
Also available in 9.1(7) and 9.4(3).
Release Notes for the Cisco ASA Series, 9.5(x)
2
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
Released: January 28, 2016
Note
This release supports only the ASAv.
Feature
Description
Platform Features
Microsoft Azure support on the
ASAv10
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V
Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V
Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3,
which supports four vCPUs, 14 GB, and four interfaces.
Licensing Features
Permanent License Reservation for For highly secure environments where communication with the Cisco Smart Software Manager
the ASAv
is not allowed, you can request a permanent license for the ASAv.
Not all accounts are approved for permanent license reservation. Make sure you have
approval from Cisco for this feature before you attempt to configure it.
We introduced the following commands: license smart reservation, license smart reservation
cancel, license smart reservation install, license smart reservation request universal,
license smart reservation return
Note
No ASDM support.
Smart Agent Upgrade to v1.6
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports
permanent license reservation and also supports setting the Strong Encryption (3DES/AES)
license entitlement according to the permission set in your license account.
If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing
registration state. You need to re-register with the license smart register idtoken
id_token force commandConfiguration > Device Management > Licensing >
Smart Licensing page with the Force registration option; obtain the ID token from
the Smart Software Manager.
We introduced the following commands: show license status, show license summary, show
license udi, show license usage
Note
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, show
license pool, show license registration
We did not change any screens.
Release Notes for the Cisco ASA Series, 9.5(x)
3
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
Note
This release supports only the ASA on the Firepower 9300.
Feature
Description
Platform Features
VPN support for the ASA on the
Firepower 9300
With FXOS 1.1.3, you can now configure VPN features.
Firewall Features
Flow off-load for the ASA on the
Firepower 9300
You can identify flows that should be off-loaded from the ASA and switched directly in the
NIC (on the Firepower 9300). This provides improved performance for large data flows in
data centers.
Also requires FXOS 1.1.3.
We added or modified the following commands: clear flow-offload, flow-offload enable,
set-connection advanced-options flow-offload, show conn detail, show flow-offload.
We added or modified the following screens: Configuration > Firewall > Advanced >
Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rules
under Configuration > Firewall > Service Policy Rules.
High Availability Features
Inter-chassis clustering for 6
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering.
modules, and inter-site clustering for You can include up to 6 modules in up to 6 chassis.
the ASA on the Firepower 9300
We did not modify any commands.
We did not modify any screens.
Licensing Features
Strong Encryption (3DES) license
automatically applied for the ASA
on the Firepower 9300
For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically
enabled for qualified customers when you apply the registration token on the Firepower 9300.
If you are using the Smart Software Manager satellite deployment, to use ASDM
and other strong encryption features, after you deploy the ASA you must enable the
Strong Encryption (3DES) license using the ASA CLI.
This feature requires FXOS 1.1.3.
Note
We removed the following command for non-satellite configurations: feature
strong-encryption
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
Release Notes for the Cisco ASA Series, 9.5(x)
4
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
Feature
Description
Platform Features
Cisco ISA 3000 Support
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is
low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model
comes with the ASA Firepower module pre-installed. Special features for this model include
a customized transparent mode default configuration, as well as a hardware bypass function
to allow traffic to continue flowing through the appliance when there is a loss of power.
We introduced the following command: hardware-bypass, hardware-bypass manual,
hardware-bypass boot-delay
We modified the following screen: Configuration > Device Management > Hardware
Bypass
Also in Version 9.4(1.225).
Firewall Features
DCERPC inspection improvements DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages.
and UUID filtering
You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset
or log particular message types. There is a new DCERPC inspection class map for UUID
filtering.
We introduced the following command: match [not] uuid. We modified the following
command: class-map type inspect.
We added the following screen: Configuration > Firewall > Objects > Class Maps >
DCERPC.
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps
> DCERPC.
Diameter inspection
You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.
We introduced or modified the following commands: class-map type inspect diameter,
diameter, inspect diameter, match application-id, match avp, match command-code,
policy-map type inspect diameter, show conn detail, show diameter, show service-policy
inspect diameter, unsupported
We added or modified the following screens:
Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP
Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol
Inspection tab
Release Notes for the Cisco ASA Series, 9.5(x)
5
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
SCTP inspection and access control You can now use the SCTP protocol and port specifications in service objects, access control
lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier
license.
We introduced the following commands: access-list extended , clear conn protocol sctp,
inspect sctp, match ppid, nat static (object), policy-map type inspect sctp, service-object,
service, set connection advanced-options sctp-state-bypass, show conn protocol sctp,
show local-host connection sctp, show service-policy inspect sctp, timeout sctp
We added or modified the following screens:
Configuration > Firewall > Access Rules add/edit dialogs
Configuration > Firewall > Advanced > ACL Manager add/edit dialogs
Configuration > Firewall > Advanced > Global Timeouts
Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NAT
Settings dialog box
Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs
Configuration > Firewall > Objects > Inspect Maps > SCTP
Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > Protocol
Inspection and Connection Settings tabs
Carrier Grade NAT enhancements For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather
now supported in failover and ASA than have NAT allocate one port translation at a time (see RFC 6888). This feature is now
clustering
supported in failover and ASA cluster deployments.
We modified the following command: show local-host
We did not modify any screens.
Captive portal for active
The captive portal feature is required to enable active authentication using identity policies
authentication on ASA FirePOWER starting with ASA FirePOWER 6.0.
6.0.
We introduced or modified the following commands: captive-portal, clear configure
captive-portal, show running-config captive-portal.
High Availability Features
Release Notes for the Cisco ASA Series, 9.5(x)
6
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
LISP Inspection for Inter-Site Flow Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from
Mobility
its location into two different numbering spaces, making server migration transparent to clients.
The ASA can inspect LISP traffic for location changes and then use this information for
seamless clustering operation; the ASA cluster members inspect LISP traffic passing between
the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then
change the flow owner to be at the new site.
We introduced or modified the following commands: allowed-eid, clear cluster info
flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster
flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map
type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info
flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key
We introduced or modified the following screens:
Configuration > Device Management > High Availability and Scalability > ASA Cluster
> Cluster Configuration
Configuration > Firewall > Objects > Inspect Maps > LISP
Configuration > Firewall > Service Policy Rules > Protocol Inspection
Configuration > Firewall > Service Policy Rules > Cluster
Monitoring > Routing > LISP-EID Table
ASA 5516-X support for clustering The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default
in the base license.
We did not modify any commands.
We did not modify any screens.
Configurable level for clustering
trace entries
By default, all levels of clustering events are included in the trace buffer, including many low
level events. To limit the trace to higher level events, you can set the minimum trace level for
the cluster.
We introduced the following command: trace-level
We did not modify any screens.
Interface Features
Support to map Secondary VLANs You can now configure one or more secondary VLANs for a subinterface. When the ASA
to a Primary VLAN
receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.
We introduced or modified the following commands: vlan secondary, show vlan mapping
We modified the following screens: Configuration > Device Setup > Interface Settings >
Interfaces
Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General
Routing Features
Release Notes for the Cisco ASA Series, 9.5(x)
7
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
PIM Bootstrap Router (BSR) support The ASA currently supports configuring static RPs to route multicast traffic for different
for multicast routing
groups. For large complex networks where multiple RPs could exist, the ASA now supports
dynamic RP selection using PIM BSR to support mobility of RPs.
We introduced the following commands: clear pim group-map, debug pim bsr, pim
bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers
We introduced the following screen: Configuration > Device Setup > Routing > Multicast
> PIM > Bootstrap Router
Remote Access Features
Support for Remote Access VPN in You can now use the following remote access features in multiple context mode:
multiple context mode
• AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
• Centralized AnyConnect image configuration
• AnyConnect image upgrade
• Context Resource Management for AnyConnect connections
The AnyConnect Apex license is required for multiple context mode; you cannot use
the default or legacy license.
We introduced the following commands: limit-resource vpn anyconnect, limit-resource
vpn burst anyconnect
Note
We modified the following screen: Configuration > Context Management > Resource
Class > Add Resource Class
Clientless SSL VPN offers SAML
2.0-based Single Sign-On (SSO)
functionality
The ASA acts as a SAML Service Provider.
Clientless SSL VPN conditional
debugging
You can debug logs by filtering, based on the filter condition sets, and can then better analyze
them.
We introduced the following additions to the debug command:
• [no] debug webvpn condition user <user name>
• [no] debug webvpn condition group <group name>
• [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]
• [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]
• debug webvpn condition reset
• show debug webvpn condition
• show webvpn debug-condition
Release Notes for the Cisco ASA Series, 9.5(x)
8
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
Clientless SSL VPN cache disabled The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN
by default
cache provides better stability. If you want to enable the cache, you must manually enable it.
webvpn
cache
no disable
We modified the following command: cache
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Advanced > Content Cache
Licensing Features
Validation of the Smart Call
Home/Smart Licensing certificate if
the issuing hierarchy of the server
certificate changes
Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures
Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint
containing the certificate of the CA that issued the Smart Call Home server certificate. The
ASA now supports validation of the certificate if the issuing hierarchy of the server certificate
changes; you can enable the automatic update of the trustpool bundle at periodic intervals.
We introduced the following command: auto-import
We modified the following screen: Configuration > Remote Access VPN > Certificate
Management > Trusted Certificate Pool > Edit Policy
New Carrier license
The new Carrier license replaces the existing GTP/GPRS license, and also includes support
for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp
command will automatically migrate to the feature carrier command.
We introduced or modified the following commands: feature carrier, show activation-key,
show license, show tech-support, show version
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
Monitoring Features
SNMP engineID sync
In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets
of engineIDs are maintained per ASA—synced engineID, native engineID and remote
engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve
localized snmp-server user authentication and privacy options. If a user does not specify the
native engineID, the show running config output will show two engineIDs per user.
We modified the following commands: snmp-server user, no snmp-server user
We did not add or modify any screens.
Also available in 9.4(3).
Release Notes for the Cisco ASA Series, 9.5(x)
9
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Feature
Description
show tech support enhancements
The show tech support command now:
• Includes dir all-filesystems output—This output can be helpful in the following cases:
◦SSL VPN configuration: check if the required resources are on the ASA
◦Crash: check for the date timestamp and presence of a crash file
• Removes the show kernel cgroup-controller detail output—This command output
will remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
logging debug-trace persistence
Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the
SSH connection were disconnected (due to network connectivity or timeout), then the debugs
were removed. Now, debugs persist for as long as the logging command is in effect.
We modified the following command: logging debug-trace
We did not modify any screens.
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
Feature
Description
Platform Features
Support for ASA FirePOWER 6.0
The 6.0 software version for the ASA FirePOWER module is supported on all previously
supported device models.
Support for managing the ASA
You can manage the ASA FirePOWER module using ASDM instead of using Firepower
FirePOWER module through ASDM Management Center (formerly FireSIGHT Management Center) when running version 6.0
for the 5512-X through 5585-X.
on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X,
5506W-X, 5508-X, and 5516-X when running 6.0.
No new screens or commands were added.
Release Notes for the Cisco ASA Series, 9.5(x)
10
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASDM 7.5(1.90)
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
Feature
Description
Remote Access Features
AnyConnect Version 4.2 support
ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances
the enterprise administrator’s ability to do capacity and service planning, auditing, compliance,
and security analytics. The NVM collects the endpoint telemetry and logs both the flow data
and the file reputation in the syslog and also exports the flow records to a collector (a third-party
vendor), which performs the file analysis and provides a UI interface.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Client Profile (a new profile called Network Visibility Service
Profile)
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
Note
This release supports only the ASAv.
Feature
Description
Platform Features
Microsoft Hyper-V supervisor
support
Extends the hypervisor portfolio for the ASAv.
ASAv5 low memory support
The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For
already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see
an error that you are using more memory than is licensed.
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
Note
This version does not support the Firepower 9300 ASA security module or the ISA 3000.
Release Notes for the Cisco ASA Series, 9.5(x)
11
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
Firewall Features
GTPv2 inspection and improvements GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now
to GTPv0/1 inspection
supports IPv6 addresses.
We modified the following commands: clear service-policy inspect gtp statistics, clear
service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message
id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request,
show service-policy inspect gtp statistics, timeout endpoint
We deprecated the following command: timeout gsn
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >
GTP
IP Options inspection improvements IP Options inspection now supports all possible IP options. You can tune the inspection to
allow, clear, or drop any standard or experimental options, including those not yet defined.
You can also set a default behavior for options not explicitly defined in an IP options inspection
map.
We introduced the following commands: basic-security, commercial-security, default,
exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start,
record-route, timestamp
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >
IP Options
Carrier Grade NAT enhancements
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather
than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following commands: xlate block-allocation size, xlate block-allocation
maximum-per-host. We added the block-allocation keyword to the nat command.
We introduced the following screen: Configuration > Firewall > Advanced > PAT Port
Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog
boxes.
High Availability Features
Inter-site clustering support for
Spanned EtherChannel in Routed
firewall mode
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid
MAC address flapping, configure a site ID for each cluster member so that a site-specific
MAC address for each interface can be shared among a site’s units.
We introduced or modified the following commands: site-id, mac-address site-id, show
cluster info, show interface
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Configuration
Release Notes for the Cisco ASA Series, 9.5(x)
12
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
ASA cluster customization of the
auto-rejoin behavior when an
interface or the cluster control link
fails
You can now customize the auto-rejoin behavior when an interface or the cluster control link
fails.
We introduced the following command: health-check auto-rejoin
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Auto Rejoin
The ASA cluster supports GTPv1
and GTPv2
The ASA cluster now supports GTPv1 and GTPv2 inspection.
We did not modify any commands.
We did not modify any screens.
Cluster replication delay for TCP
connections
This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying
the director/backup flow creation.
We introduced the following command: cluster replication delay
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster Replication
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a
By default when using clustering, the ASA monitors the health of an installed hardware module
hardware module in ASA clustering such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger
failover, you can disable module monitoring.
We modified the following command: health-check monitor-interface service-module
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Interface Health Monitoring
Enable use of the Management 1/1
interface as the failover link on the
ASA 5506H
On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover
link. This feature lets you use all other interfaces on the device as data interfaces. Note that
if you use this feature, you cannot use the ASA Firepower module, which requires the
Management 1/1 interface to remain as a regular management interface.
We modified the following commands: failover lan interface, failover link
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > Failover > Setup
Routing Features
Support for IPv6 in Policy Based
Routing
IPv6 addresses are now supported for Policy Based Routing.
We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set
ipv6 dscp
We modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based
Routing Configuration > Device Setup > Routing > Route Maps > Add Route Maps >
Match Clause
Release Notes for the Cisco ASA Series, 9.5(x)
13
Release Notes for the Cisco ASA Series, 9.5(x)
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
VXLAN support for Policy Based
Routing
You can now enable Policy Based Routing on a VNI interface.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Interface Settings >
Interfaces > Add/Edit Interface > General
Policy Based Routing support for
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and
Identity Firewall and Cisco Trustsec Cisco TrustSec ACLs in Policy Based Routing route maps.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Routing > Route Maps
> Add Route Maps > Match Clause
Separate routing table for
management-only interfaces
To segregate and isolate management traffic from data traffic, the ASA now supports a separate
routing table for management-only interfaces.
We introduced or modified the following commands: backup, clear ipv6 route
management-only, clear route management-only, configure http, configure net, copy,
enrollment source, name-server, restore, show asp table route-management-only, show
ipv6 route management-only show route management-only
We did not modify any screens.
Protocol Independent Multicast
Source-Specific Multicast
(PIM-SSM) pass-through support
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing,
unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a
multicast group while also protecting against different attacks; hosts only receive traffic from
explicitly-requested sources.
We did not modify any commands.
We did not modify any screens.
Remote Access Features
IPv6 VLAN Mapping
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change
is necessary for the administrator.
Clientless SSL VPN SharePoint
2013 Support
Added support and a predefined application template for this new SharePoint version.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type >
Predefined application templates
Dynamic Bookmarks for Clientless Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the
VPN
list of macros when using bookmarks. These macros allow the administrator to configure a
single bookmark that can generate multiple bookmark links on the clientless user’s portal and
to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP
attribute maps.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Portal > Bookmarks
Release Notes for the Cisco ASA Series, 9.5(x)
14
Release Notes for the Cisco ASA Series, 9.5(x)
Upgrade the Software
Feature
Description
VPN Banner Length Increase
The overall banner length, which is displayed during post-login on the VPN remote client
portal, has increased from 500 to 4000.
We modified the following command: banner (group-policy).
We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit
Internal Group Policy > General Parameters > Banner
Cisco Easy VPN client on the ASA This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X.
5506-X, 5506W-X, 5506H-X, and The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices
5508-X
(computers, printers, and so on) behind the ASA on the Easy VPN port can communicate
over the VPN; they do not have to run VPN clients individually. Note that only one ASA
interface can act as the Easy VPN port; to connect multiple devices to that port, you need to
place a Layer 2 switch on the port, and then connect your devices to the switch.
We introduced the following commands: vpnclient enable, vpnclient server, vpnclient
mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient
vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Monitoring Features
Show invalid usernames in syslog
messages
You can now show invalid usernames in syslog messages for unsuccessful login attempts.
The default setting is to hide usernames when the username is invalid or if the validity is
unknown. If a user accidentally types a password instead of a username, for example, then it
is more secure to hide the “username” in the resultant syslog message. You might want to
show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging >
Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
REST API Features
REST API Version 1.2.1
We added support for the REST API Version 1.2.1.
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
Upgrade Path
See the following table for the upgrade path for your version. Some versions require an interim upgrade before
you can upgrade to the latest version.
Release Notes for the Cisco ASA Series, 9.5(x)
15
Release Notes for the Cisco ASA Series, 9.5(x)
Upgrade Link
Current ASA Version
First Upgrade to:
Then Upgrade to:
8.2(x) and earlier
8.4(6)
9.1(3) and later
8.3(x)
8.4(6)
9.1(3) and later
8.4(1) through 8.4(4)
8.4(6) or 9.0(2+)
9.1(3) and later
8.4(5+)
—
9.1(3) and later
8.5(1)
9.0(2+)
9.1(3) and later
8.6(1)
9.0(2+)
9.1(3) and later
9.0(1)
9.0(2+)
9.1(3) and later
9.0(2+)
—
9.1(3) and later
9.1(1)
9.1(2)
9.1(3) and later
9.1(2+)
—
9.1(3) and later
9.2(x)
—
9.2(2) and later
9.3(x)
—
9.3(2) and later
9.4(x)
—
9.4(2) and later
9.5(x)
—
9.5(2) and later
9.6(x)
—
9.6(2) and later
9.7(x)
—
9.8(1) and later
Upgrade Link
To complete your upgrade, see Upgrade to ASA 9.4 and ASDM 7.4.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based
tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and
vulnerabilities in this product and other Cisco hardware and software products.
Release Notes for the Cisco ASA Series, 9.5(x)
16
Release Notes for the Cisco ASA Series, 9.5(x)
Open Bugs in Version 9.5(x)
Note
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have
one, you can register for an account. If you do not have a Cisco support contract, you can only look up
bugs by ID; you cannot run searches.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.5(x)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 9.5(x):
• 9.5 open bug search.
The following table lists open bugs at the time of this Release Note publication.
Caveat ID Number
Description
CSCto19832
OpenLDAP needs to be upgraded or patched
CSCuv86562
Traceback: ASA crash in thread name fover_health_monitoring_thread
CSCuw83618
ASA5508X SSD LED always green even when SSD is removed
CSCux20294
Free memory drops to 0 after clientless VPN Test
CSCux75565
ASA/DOC: Spaces can be used in LDAP DN
CSCux85525
XMLSoft libxml2 Encoding Conversion Denial of Service Vulnerability
CSCux85527
XMLSoft libxml2 xmlParserInputGrow Function Denial of Service Vulnerab
CSCux85528
XMLSoft libxml2 XML Entity Processing Denial of Service Vulnerability
CSCux85532
XMLSoft libxml2 xmlNextChar Function Memory Corruption Vulnerability
CSCux85533
XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service Vulnerabili
CSCuy28172
DOC: ASA IPV6 LAN-to-LAN VPNs is compatible with non-ASA peers
CSCuy47780
5508 and 5516 Devices may not boot 9.5.1 or later images
CSCuy85511
libxml2 htmlParseNameComplex() Function Denial of Service Vulnerabilit
CSCuz05856
XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion Denial
CSCuz67536
Configuration retrieval from external server fails in multicontext mode
CSCuz81201
ASA 5506 interface Counters & OIDs showing incorrect value for traffic!
Release Notes for the Cisco ASA Series, 9.5(x)
17
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCva32092
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500
CSCva39094
ASA traceback in CLI thread while making MPF changes
CSCva46651
ASAv Azure: ASAv not responding or passing traffic
CSCva52514
ASAv-Azure: waagent may reload when asav deployed with load balancer
CSCva62667
Shut down interfaces shows up in ASP routing table
CSCva69346
Unable to relay DHCP discover packet from ASA when NAT is matched
CSCva70079
SIP packets mangled when using TLS1.2 and ASA is server
CSCva72317
Linux Kernel NULL Pointer Dereference Denial of Service Vulnerability
CSCva72318
XMLSoft libxml2 XML Content Processing External Entity Expansion Vulne
CSCva72319
XMLSoft libxml2 Format String Vulnerability
CSCva79278
ASAv: TCP state bypass not matching the traffic required
CSCva84089
ASA Crash Checkheap Free Buffer Corrupted
CSCva89342
Interfaces get deleted on SFR during Multi-context HA configuration sync
CSCvb11599
ASAv Azure: ASAv30 Anyconnect peer support.
CSCvb13690
ASA : Botnet update fails with a lot of Errors
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.5(3.9)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number
Description
CSCtw90511
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock
CSCuc11186
ARP: Proxy IP traffic is hijacked.
CSCum70304
FIPS self test power on fails - fipsPostDrbgKat
CSCum74032
ASA traceback on standby when SNMP polling
Release Notes for the Cisco ASA Series, 9.5(x)
18
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCun21186
ASA traceback when retrieving idfw topn user from slave
CSCup37416
Stale VPN Context entries cause ASA to stop encrypting traffic
CSCup96099
"show resource usage detail counter all 1" causes cpu hog
CSCuq80704
ASA classifies TCP packets as PAWS failure incorrectly
CSCur87011
ASA low DMA memory on low end ASA-X -5512/5515 devices
CSCus10787
Transactional ACL commit will bypass security policy during compilation
CSCus16416
Share licenses are not activated on failover pair after power cycle
CSCus37458
ASA traceback in Thread name DATAPATH when handling multicast packet
CSCus53126
ASA traffic not sent properly using 'traffic-forward sfr monitor-only'
CSCut10103
ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL
CSCut14209
Cisco ASA XML Denial of Service Vulnerability
CSCuu48197
ASA: Stuck uauth entry rejects AnyConnect user connections
CSCuu50708
ASA Traceback on 9.1.5.19
CSCuv20449
Traceback in Thread Name: ssh when using capture or continuous ping
CSCuv47191
9.5.1 - Crash in bcm_esw_init thread
CSCuv49446
ASA traceback on Standby device during config sync in thread DATAPATH
CSCuv86562
Traceback: ASA crash in thread name fover_health_monitoring_thread
CSCuw02009
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST
CSCuw19671
ASA traceback while restoring backup configuration from ASDM
CSCuw28735
Cisco ASA Software Version Information Disclosure Vulnerability
CSCuw39685
ASA - Filtering HTTP via Websense or SFR may cause memory corruption
CSCuw44038
Watchdog traceback in ldap_client_thread with large number of ldap grps
CSCuw48499
QEMU coredump: qemu_thread_create: Resource temporarily unavailable
CSCuw51576
SSH connections are not timed out on ASA (stuck in rtcli)
Release Notes for the Cisco ASA Series, 9.5(x)
19
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCuw55813
Standby ASA traceback in Thread Name: EIGRP-IPv4
CSCuw71147
Traceback in Unicorn Proxy Thread, in http_header_by_name
CSCuw87331
ASA: Traceback in Thread name DATAPATH-7-1918
CSCuw90116
ASA 9.4.1 traceback upon clearing and reconfiguring ACL
CSCuw92005
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly
CSCuw95262
After some time flash operations fail and configuration can not be saved
CSCux00686
Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS)
CSCux03626
Traceback in thread name: Unicorn Proxy Thread
CSCux05081
RSA 4096 key generation causes failover
CSCux07002
ASA: assertion "pp->pd == pd" failed: file "main.c", line 192
CSCux08783
CWS: ASA does not append XSS headers
CSCux08838
ASA: Traceback in Checkheaps
CSCux09181
http-form authentication fails after 9.3.2
CSCux09310
ASA traceback when using an ECDSA certificate
CSCux10499
Smart Tunnel starts and Java closes without any message
CSCux11440
ASA traceback in Unicorn Proxy Thread
CSCux15273
show memory indicates inaccurate free memory available
CSCux16427
PBR incorrect route selection for deny clause
CSCux17527
ASA memory leak related to Botnet
CSCux18455
SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIB
CSCux20178
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later
CSCux21955
ASA: FAILOVER not working with password encryption.
CSCux23659
ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd
CSCux29842
Primary and Secondary ASA in HA is traceback in Thread Name:DataPath
Release Notes for the Cisco ASA Series, 9.5(x)
20
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCux29929
ASA 9.4.2 traceback in DATAPATH
CSCux30780
GTPv1 traceback in gtpv1_process_msg
CSCux33808
ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]
CSCux35538
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test
CSCux36112
PBR: Mem leak in cluster mode due to policy based route
CSCux37303
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related
CSCux37442
Cisco signed certificate expired for WebVpn Port Forward Binary on ASA
CSCux41145
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities
CSCux42936
ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection
CSCux43978
DHCP Relay fails for cluster ASAs with long interface names
CSCux45179
SSL sessions stop processing -"Unable to create session directory" error
CSCux47195
ASA(9.5.2) changing the ACK number sent to client with SFR redirection
CSCux56111
"no ipv6-vpn-addr-assign" CLI not working
CSCux59122
ASA L7 policy-map comes into affect only if the inspection is re-applied
CSCux61257
ASA: Traceback in Thread IP Address Assign
CSCux66866
Traffic drop due to constant amount of arp on ASASM
CSCux69987
ASA: Traceback on ASA device after adding FQDN objects in NAT rule
CSCux70784
ASA traceback while viewing large ACL
CSCux70998
Reload in Thread Name: IKE Daemon
CSCux71197
"show resource usage" gives wrong number of routes after shut/no sh
CSCux72610
ASA TACACS+: process tacplus_snd uses large percentage of CPU
CSCux72835
ASA 9.5 - OCSP check using global routing table instead of management
CSCux81683
ASA Traceback on Thread Name: Unicorn Admin Handler
CSCux82835
Nat pool exhausted observed when enabling asp transactional-commit nat
Release Notes for the Cisco ASA Series, 9.5(x)
21
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCux86769
VLAN mapping doesn't work when connection falls back to TLS
CSCux87457
ASA traceback in Thread Name: https_proxy
CSCux88237
ASA traceback in DATAPATH thread
CSCux92157
ASA Traceback Assert in Thread Name: ssh_init with component ssh
CSCux93751
Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728
CSCux94598
ASA using a huge dynamic ACL may cause Anyconnect connectivity failures
CSCux96716
ASA tracebacks when replicating Xlate to the standby/slave
CSCux98029
ASA reloads with traceback in thread name DATAPATH or CP Processing
CSCuy00296
Traceback in Thread: IPsec message handler
CSCuy01420
ASA traceback in Thread Name: Unicorn Proxy Thread.
CSCuy01438
ASA traceback with SIP inspection and SFR enabled in 9.5.2
CSCuy03024
ASA traceback and reload citing Thread Name: idfw_proc
CSCuy05949
ASA: MAC address changes on active context when WRITE STANDBY is issued
CSCuy06125
Re-adding context creates context without configs on some slaves
CSCuy07753
Smart tunnel does not work since Firefox 32bit version 43
CSCuy11281
ASA: Assert traceback in version 9.4.2
CSCuy11905
ASA 5585 traceback when the User name is mentioned in the Access list
CSCuy13937
ASA Watchdog traceback in CP Processing thread during TLS processing
CSCuy15636
ASA may traceback with:
DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685
CSCuy21206
Traceback when drop is enabled with diameter inspection and tls-proxy
CSCuy21287
STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload
CSCuy22561
VPN Load-Balancing does not send load-balancing cert for IPv6 Address
CSCuy25163
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability
CSCuy32321
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt
Release Notes for the Cisco ASA Series, 9.5(x)
22
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCuy32728
VPN LB stops working when cluster encryption is configured
CSCuy32964
ASA Crash on cluster member or on standby member of failover pair after replication
of conns
CSCuy34265
ASA Access-list missing and losing elements after configuration change
CSCuy36897
Can't navigate to OWA 2013 due to ssl errors
CSCuy40207
Traceback: assertion "0" failed: file "ctm_daemon.c"
CSCuy41986
OCSP validation fails when multiple certs in chain are verified
CSCuy42223
BGP:Deployment failed with reason supported on management-only interface
CSCuy43839
ASA reloads in thread name: DATAPATH while encrypting L2L packet
CSCuy44472
BVI : Interface IPv6 address deleted from standby context on HA - A/A
CSCuy45475
ASA : Configuration not replicated on mate if standby IP is missing
CSCuy47706
Traceback at gtpv1_process_pdp_create_req
CSCuy50406
Crash in proxyi_rx_q_timeout_timer
CSCuy51918
Buffer overflow in RAMFS dirent structure causing traceback
CSCuy54567
Evaluation of pix-asa for OpenSSL March 2016
CSCuy55468
Unicorn Proxy Thread causing CP contention
CSCuy57644
ASAv sub-interface failing to send traffic with customised mac-address
CSCuy63642
ASA 9.1(6) traceback processing outbound DTLS Packet
CSCuy66942
Cisco ASA Software DHCP Relay Denial of Service vulnerability
CSCuy73652
Traceback in thread name idfw when modifying object-group having FQDN
CSCuy74218
Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly
CSCuy78802
orignial master not defending all GARP packets after cluster split brain
CSCuy80070
OSPF routes not populating over L2L tunnel
CSCuy82905
ASA crashes when global access-list config is cleared
CSCuy85243
ASA traceback when receive Radius attribute with improper variable type
Release Notes for the Cisco ASA Series, 9.5(x)
23
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCuy87597
ASA - Traceback in CP Processing Thread During Private Key Decryption
CSCuy90936
ASA may stop responding to OSPF Hello packets
CSCuy95543
Improve efficiency of malloc_avail_freemem()
CSCuy96391
ASA clientless rewriter failure at 'CSCOPut_hash' function
CSCuz00077
ASA 9.1.6.4 traceback with Thread Name: telnet/ci
CSCuz04534
Memory leak in 112 byte bin when packet hits PBR and WCCP rules
CSCuz08625
ASA traceback in SSH thread
CSCuz09255
ASA does not respond to NS in Active/Active HA
CSCuz09394
infinite loop in JS rewriter state machine when return followed by var
CSCuz10371
ASA Traceback and reload by strncpy_sx.c
CSCuz14600
Kenton 9.5.1'boot system/boot config' commands not retained after reload
CSCuz14808
5585-10 traceback in Thread Name: idfw_proc
CSCuz16398
Incorrect modification of NAT divert table.
CSCuz16565
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c"
CSCuz21068
CSCOPut_hash can initiate unexepected requests
CSCuz21178
ASA traceback in threadname ssh
CSCuz23354
CPU usage is high after timer dequeue failed in GTP
CSCuz28000
Context config may get rejected if all the units in Cluster reloaded
CSCuz30425
Network command disappears from BGP after reload with name
CSCuz33255
Traceback in IKEv2 Daemon with 20+ second CPU hog.
CSCuz36938
Traceback on editing a network object on exceeding the max snmp hosts
CSCuz38115
ASA Tback when large ACL applied to interface with object-group-search
CSCuz38180
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up
CSCuz38888
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript
Release Notes for the Cisco ASA Series, 9.5(x)
24
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCuz40081
ASA memory leak due to vpnfo
CSCuz40793
Interfaces get deleted on SFR during HA configuration sync
CSCuz42390
ASA Stateful failover for DRP works intermittently
CSCuz44687
Traceback data path self deadlock panic while attempt to get spin lock
CSCuz44968
Commands not installed on Standby due to parser switch
CSCuz47295
Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability
CSCuz52474
Evaluation of pix-asa for OpenSSL May 2016
CSCuz54193
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection
CSCuz54545
ASA Address not mapped traceback - configuring snmp-server host
CSCuz61092
Interface health-check failover causes OSPF not to advertise ASA as ABR
CSCuz63531
Observing Memory corruption, assert for debug ospf
CSCuz64603
GTP traceback at gtp_update_sig_conn_timestamp while processing data
CSCuz66661
ASA Cut-through Proxy inactivity timeout not working
CSCuz67349
ASA Cluster fragments reassembled before transmission with no inspection
CSCuz67590
ASA may Traceback with Thread Name: cluster rx thread
CSCuz67596
ASA may Traceback with Thread Name: Unicorn Admin Handler
CSCuz67690
ASA crashed due to Election severe problem no master is promoted
CSCuz70330
ASA: SSH being denied on the ASA device as the maximum limit is reached
CSCuz72352
traceback during tls-proxy handshake
CSCuz80281
IPv6 neighbor discovery packet processing behavior
CSCuz90648
2048/1550/9344 Byte block leak cause traffic disruption & module failure
CSCuz92074
ASA with PAT fails to untranslate SIP Via field that doesnt contain port
CSCuz92921
ASA crashes while clearing global access-list
CSCuz94862
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck
Release Notes for the Cisco ASA Series, 9.5(x)
25
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCuz95806
DNS Doctoring DNS64 is not working
CSCuz98220
ASA traceback with Thread Name: Dispatch Unit
CSCuz98704
Traceback in CP Processing thread after upgrade
CSCva00190
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets
CSCva00939
Remove ACL warning messages in show access-list when FQDN is resolved
CSCva01570
Unexpected end of file logon.html in WebVPN
CSCva02817
ASA not rate limiting with DSCP bit set from the Server
CSCva03607
show service-policy output reporting incorrect values
CSCva03982
ASA : Mem leak in cluster mode due to PBR lookup
CSCva10054
ASA ASSERT traceback in DATAPATH due to sctp inspection
CSCva15911
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash.
CSCva16471
IPv6 OSPF routes do not update when a lower metric route is advertised
CSCva24924
ASA SM on 9300 reloads multi-context over SSH when config-url is entered
CSCva26771
ASA : PBR Mem leak as packet dropped
CSCva31378
ASA treaceback at Thread Name: rtcli async executor process
CSCva35439
ASA DATAPATH traceback (Cluster)
CSCva36202
BGP Socket not open in ASA after reload
CSCva38556
Cisco ASA Input Validation File Injection Vulnerability
CSCva39094
ASA traceback in CLI thread while making MPF changes
CSCva39804
Interfaces get deleted on SFR during cluster rejoining
CSCva40844
Crypto accelerator ring timeout causes packet drops
CSCva46920
Traceback in Thread Name: ssh when issuing show tls-proxy session detail
CSCva49256
memory leak in ssh
CSCva62861
uauth is failed after failover
Release Notes for the Cisco ASA Series, 9.5(x)
26
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCva68987
ASA drops ICMP request packets when ICMP inspection is disabled
CSCva69584
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB
CSCva69799
ASA stuck in boot loop due to FIPS Self-Test failure
CSCva70095
ASA negotiates TLS1.2 when server in tls-proxy
CSCva76568
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports
CSCva77852
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon
CSCva81749
IPV6 address not assigned when connecting via IPSEC protocol
CSCva84635
ASA: CHILD_SA collision brings down IKEv2 SA
CSCva85382
ASA memory leak for CTS SGT mappings
CSCva87077
GTP traceback at gtpv1_process_msg for echo response
CSCva87160
OTP authentication is not working for clientless ssl vpn
CSCva88796
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions
CSCva90806
ASA Traceback when issue 'show asp table classify domain permit'
CSCva91420
ASA Traceback in CTM Message Handler
CSCva92151
Cisco ASA SNMP Remote Code Execution Vulnerability
CSCva92813
ASA Cluster DHCP Relay doesn't forward the server replies to the client
CSCva94702
Enqueue failures on DP-CP queue may stall inspected TCP connection
CSCvb03994
Traceback in IKE_DBG
CSCvb05667
H.323 inspection causes Traceback in Thread Name: CP Processing
CSCvb05787
traceback in network udpmod_get after anyconnect test load application
CSCvb13690
ASA : Botnet update fails with a lot of Errors
CSCvb13737
wr mem/ wr standby is not syncing configs on standby
CSCvb14997
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer
CSCvb19251
ASA as DHCP relay drops DHCP 150 Inform message
Release Notes for the Cisco ASA Series, 9.5(x)
27
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Caveat ID Number
Description
CSCvb19843
Buffer Overflow in ASA Leads to Remote Code Execution
CSCvb22435
ASA Traceback in thread name CP Processing due to DCERPC inspection
CSCvb22848
ASA 9.1.7-9 crash in Thread Name: NIC status poll
CSCvb27868
ASA 1550 block depletion with multi-context transparent firewall
CSCvb29411
AAA authentication/authorization fails if only accessible via mgmt vrf
CSCvb29688
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for
CSCup37416
CSCvb30445
ASA may generate DATAPATH Traceback with policy-based routing enabled
CSCvb31833
Traceback : ASA with Threadname: DATAPATH-0-1790
CSCvb32297
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error
CSCvb36199
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback
CSCvb39147
Lower NFS throughput rate on Cisco ASA platform
CSCvb45039
ASA traceback with Thread Name aaa_shim_thread
CSCvb48640
Evaluation of pix-asa for Openssl September 2016
CSCvb49273
Traceback triggered by CoA on ASA when sending/receiving to/from ISE
CSCvb52988
ASA Traceback Thread Name: emweb/https
CSCvb63503
AAA session handle leak with IKEv2 when denied due to time range
CSCvb63819
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3
CSCvb64161
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client
CSCvb68766
ASA traceback at Thread Name: IKE Daemon.
CSCvb74249
ASA dropping traffic with TCP syslog configured in multicontext mode
CSCvd78303
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'
Resolved Bugs in Version 9.5(2.200)
There were no bugs fixed in 9.5(2.200).
Release Notes for the Cisco ASA Series, 9.5(x)
28
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Resolved Bugs in Version 9.5(2.1)
There were no bugs fixed in 9.5(2.1).
Resolved Bugs in Version 9.5(2)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for
Version 9.5(2):
• 9.5(2) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
CSCuv94338
ASA traceback in Thread Name: CP Crypto Result Processing.
CSCuu27334
ASA: Traceback with Thread Name - AAA
CSCuu73395
Auth-prompt configured in one context appears in another context
CSCuv32615
ASA: LDAP over SSL Authentication failure
CSCuv12884
Unable to authenticate with remove aaa-server from different context
CSCuw00971
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)
CSCut28210
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue
CSCus47259
Cisco ASA XAUTH Bypass Vulnerability
CSCut27332
ASA traceback in aaa_shim_thread / command author done for dACL install
CSCuu48626
ASA - access list address argument changed from host 0.0.0.0 to host ::
CSCuv92371
ASA traceback: SSH Thread: many users logged in and dACLs being modified
CSCuv12564
Memory leak @regcomp_unicorn with APCF configured
CSCus56590
ASA - Traceback in Thread Name: fover_parse
CSCuw09578
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test
CSCuv87150
ASA traceback in Thread Name: fover_parse (ak47/ramfs)
CSCut88287
ASA Traceback in vpnfol_thread_msg
CSCuv87760
Unicorn proxy thread traceback with RAMFS processing
CSCus32005
ASA - Traceback in thread name SSH while applying BGP show commands
Release Notes for the Cisco ASA Series, 9.5(x)
29
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCuu10284
ASA Dataplane captures dont capture packets when using match/access-list
CSCuu61573
9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain
CSCur20322
ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment
CSCus97061
ASA Cluster member traceback in DATAPATH
CSCuv39775
ASA cluster-Incorrect "current conns" counter in service-policy
CSCuu28909
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel
CSCuw36853
ASA: ICMP error loop on cluster CCL with Interface PAT
CSCut56198
Clustering: Traceback in DATAPATH with transparent FW
CSCuu66218
ASA is not correctly handling errors on AES-GCM ICV
CSCuu18989
ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit
CSCuu75901
ASA failover due to issue show local-host command make CPU-hog
CSCus92856
ASA traceback in DATAPATH Thread due to Double Block Free
CSCut40770
Interface TLV to SFR is corrupt when frame is longer than 2048 bytes
CSCuv91730
Request allow packets to pass when snort is down for ASA configurations
CSCuv58559
Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF
CSCuw66397
DHCP Server Process stuck if dhcpd auto_config already enabled from CLI
CSCuu84085
DHCP-DHCP Proxy thread traceback shortly after failover and reload
CSCut44082
EIGRP configuration not being correctly replicated between failover ASAs
CSCuu77207
ASA - URL filter - traceback on thread name uauth_urlb clean
CSCut92194
ASA traceback in Thread Name: CP Processing
CSCur07061
Traceback on standby ASA during hitless upgrade
CSCuv01177
ASA: traceback in IDFW AD agent
CSCze96017
Active ftp-data is blocked by Firepower on Chivas Beta on 5512
CSCuu45858
ASA Traceback in cp_syslog
Release Notes for the Cisco ASA Series, 9.5(x)
30
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCut86523
ASA: Silently Drops packets with SFR Module installed.
CSCuu73716
Traceback in Thread CP Processing
CSCuu56912
ASA change non-default port to 443 for https traffic redirected to CWS
CSCut30741
ASA redirection to Scansafe tower fails with log id "775002" in syslog
CSCuu91304
Immediate FIN from client after GET breaks scansafe connection
CSCuq99821
ASA/ASASM drops SIP invite packets with From field containing "" and \
CSCut48009
Traceback in thread CP Processing
CSCut45114
2048-byte block leak if DNS server replies with "No such name"
CSCuu94945
ASA: Traceback while copying file using SCP on ASA
CSCuw41548
DNS Traceback in channel_put()
CSCut28217
Active ASA in failover setup reboots on its own
CSCuu36639
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout
CSCus08239
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit
CSCuv70576
Cisco ASA VPN Memory Block Exhaustion Vulnerability
CSCuo08193
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet
CSCuu39636
Cert Auth fails with 'max simultaneous-login restriction' error
CSCuu82229
ikev2 with DH 19 and above fails to pass traffic after phase2 rekey
CSCut75983
ASA Traceback in PPP
CSCuw17930
Improper S2S IPSec Datapath Selection for Remote Overlapping Networks
CSCuw22886
Split-tunnel not working for EzVPN client on Kenton device (9.5.1)
CSCut95793
ASA: Anyconnect IPv6 Traceroute does not work as expected
CSCut01856
ASA dropping traffic with TCP syslog configured in multicontext mode
CSCuv07106
ASATraceback in ssh whilst adding new line to extended ACL
CSCuu63656
ASA not generating PIM register packet for directly connected sources
Release Notes for the Cisco ASA Series, 9.5(x)
31
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCuw22130
ASA traceback when removing dynamic PAT statement from cluster
CSCtz98516
Observed Traceback in SNMP while querying GET BULK for 'xlate count'
CSCuu45812
asa Traceback with Thread Name idfw_proc
CSCuu39615
eglibc 2.18 is missing upstream fix #15073
CSCuv96011
OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards
CSCuv45756
ASA may tracebeck when displaying packet capture with trace option
CSCuv11566
ASA LDAP CRL query baseObject DN string is malformed
CSCuv66333
ASA picks incorrect trustpoint to verify OCSP Response
CSCut67965
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached
CSCut15570
Anyconnect SSL VPN certificate authentication fails o ASA
CSCuu46569
ASA CA certificate import fails with different types of Name Constraints
CSCus78450
ASA cert validation fails when suitable TP is above the resident CA cert
CSCuu45813
ASA Name Constraints dirName improperly verified
CSCuv57389
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)
CSCuv88785
RA validation failed when CA/subCA contains name constraints
CSCui20213
5585 interface counters show 0 for working interfaces and console errors
CSCuu04012
ASA CX - Data Plane marked as DOWN untill ASA reload.
CSCuv10258
ASA5505 permanent base license, temp secplus, failover, vlan count issue
CSCuw29566
ASA5585 9.5(1): Support Failover Lan on Management0/0 port
CSCus62863
Kenton 5516: Interface dropping ARPs after flapping under traffic load
CSCuq57307
ASA 8.4 Memory leak due to duplicate entries in ASP table
CSCuw06294
ASA: Traceback in Thread Name Checkheaps due to webvpn
CSCuv10938
'redistribute' cmds under 'router eigrp' removed on deleting any context
CSCuu53928
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA
Release Notes for the Cisco ASA Series, 9.5(x)
32
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCuu31751
ASA OSPF database not reflect changes
CSCuv50968
CRL download functionality seems to be broken on ASA
CSCuv42413
Dynamic Route Not Installed After Failover
CSCut37974
EIGRP authentication not working with simple pasword
CSCur09141
RRI static routing changes not updated in routing table
CSCut10078
Standby ASA does not apply OSPF route after config replication
CSCuv50709
Standby ASA inside IP not reachable after Anyconnect disconnect
CSCuv79552
Standby traceback during config replication with customization export
CSCuu06081
ASAv licesing enforcement should not be CLI parser based
CSCuw59388
Unable to load ASDM to a Context in Multiple Context Mode
CSCtx43501
CPU hog due to snmp polling of ASA memory pool information
CSCuu04160
snmpwalk causes slow memory leak on ASA
CSCuu84697
ASA Traceback in Thread Name ssh/client
CSCus70693
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:
CSCut03981
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig
CSCus27650
Cut Through proxy not working correctly with TLS1.2
CSCuv51649
SSL : Unable to Join nodes in Cluster
CSCuu02848
Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL
CSCuu87823
ASAv traceback in DATAPATH when used for WebVPN
CSCuv27197
ASA SSLVPN RDP Plugin session freezes under heavy load with activex
CSCuv92384
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS
CSCuu86195
conn-max counter is not decreased accordingly
CSCut39985
Per-session PAT RST sent to incorrect direction after closing session
CSCut49111
ASA traceback because of TD tcp-intercept feature
Release Notes for the Cisco ASA Series, 9.5(x)
33
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCuw26991
ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection
CSCut36927
Cluster destabilizes when contexts are removed
CSCuv43902
ASA: Watchdog Traceback with Thread Name:- SXP CORE
CSCur07369
SXP Version Mismatch Between ASA & N7K with clustering
CSCuw86069
ASAv Cannot remove/change default global_policy or inspection_default
CSCut49034
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal
CSCuw14334
Trace back with Thread Name: IP Address Assign
CSCut12513
ASA allows citrix ICA connection without authentication
CSCuq97035
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7
CSCut71095
ASA WebVPN clientless cookie authentication bypass
CSCuv30184
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread
CSCuu32905
ASA WebVPN: Javascript fails to execute when accessing internal portal
CSCuv05386
Clientless webvpn on ASA does not display asmx files
CSCuv69235
HTTP chunked data causing watchdog
CSCuv05916
Need to prevent traceback in js_parser_print_rest
CSCuw87910
PCP 10.6 Clientless VPN Access is Denied when accessing Pages
CSCuw44744
Traceback in WebVPN rewriter
CSCuu78835
Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5
CSCus46895
WebVPN Rewriter: "parse" method returns curly brace instead of semicolon
CSCuv86500
Webvpn: JS parser may crash if the underlying connection is closed
Resolved Bugs in Version 9.5(1.5)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for
Version 9.5(1.5):
• 9.5(1.5) fixed bug search.
Release Notes for the Cisco ASA Series, 9.5(x)
34
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
CSCuq97035
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7
CSCus08239
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit
CSCut03981
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig
CSCut49034
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal
CSCut95793
ASA: Anyconnect IPv6 Traceroute does not work as expected
CSCuu73395
Auth-prompt configured in one context appears in another context
CSCuu73716
Traceback in Thread CP Processing
CSCuu75901
ASA failover due to issue show local-host command make CPU-hog
CSCuu77207
ASA - URL filter - traceback on thread name uauth_urlb clean
CSCuu87823
ASAv traceback in DATAPATH when used for WebVPN
CSCuv05386
Clientless webvpn on ASA does not display asmx files
CSCuv05916
Need to prevent traceback in js_parser_print_rest
CSCuv09538
ASA: CLI commands not showing help(?) options for local authorization
CSCuv11566
ASA LDAP CRL query baseObject DN string is malformed
CSCuv12884
Unable to authenticate with remove aaa-server from different context
CSCuv27197
ASA SSLVPN RDP Plugin session freezes under heavy load with activex
CSCuv32615
ASA: LDAP over SSL Authentication failure
CSCuv35243
ASA: Not able to remove ACE with "log default" keyword
CSCuv39775
ASA cluster-Incorrect "current conns" counter in service-policy
CSCuv42413
Dynamic Route Not Installed After Failover
CSCuv43902
ASA: Watchdog Traceback with Thread Name:- SXP CORE
CSCuv45756
ASA may tracebeck when displaying packet capture with trace option
CSCuv57389
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)
CSCuv69235
HTTP chunked data causing watchdog
Release Notes for the Cisco ASA Series, 9.5(x)
35
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCuv70576
Cisco ASA VPN Memory Block Exhaustion Vulnerability
CSCuv79552
Standby traceback during config replication with customization export
CSCuv86500
Webvpn: JS parser may crash if the underlying connection is closed
CSCuv87150
ASA traceback in Thread Name: fover_parse (ak47/ramfs)
CSCuv87760
Unicorn proxy thread traceback with RAMFS processing
CSCuv88785
RA validation failed when CA/subCA contains name constraints
CSCuv91730
Request allow packets to pass when snort is down for ASA configurations
CSCuw00971
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)
CSCuw09578
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test
CSCuw30700
traffic-forward interface command is not working on 5585
Resolved Bugs in Version 9.5(1.200)
There were no bugs fixed in 9.5(1.200).
Resolved Bugs in Version 9.5(1)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for
Version 9.5(1):
• 9.5(1) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
CSCuu31281
AAA Authorization HTTP sends username in password field of authorization
CSCus57241
ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions
CSCuu73087
Standalone AnyConnect fails to connect due to empty DAP user message
CSCur17006
Add cli to control masked username in syslog
CSCut96928
ASA : Password creation date is decrementing by one with every reboot
CSCuu27334
ASA: Traceback with Thread Name - AAA
Release Notes for the Cisco ASA Series, 9.5(x)
36
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCut22865
[ASA] CTP not working if proxyACL port_argument is gt
CSCut54218
ASA tunnel-group"password-expire-in-days"not prompting a password change
CSCut28210
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue
CSCut27332
ASA traceback in aaa_shim_thread / command author done for dACL install
CSCuu48626
ASA - access list address argument changed from host 0.0.0.0 to host ::
CSCut92373
ASA 9.0.3 not logging permitted UDP traffic
CSCus83942
ASA : ACL logging is not getting disabled with keyword "log disable"
CSCut31315
[ASA] access-list ACL_name standard permit host 0.0.0.0 deleted
CSCuv12564
Memory leak @regcomp_unicorn with APCF configured
CSCur99653
Codenomicon HTTP-server suite may cause crash
CSCus32005
ASA - Traceback in thread name SSH while applying BGP show commands
CSCuv25327
bgp ipv6 neighborship fails with ASA after hard reset on router
CSCuu10284
ASA Dataplane captures dont capture packets when using match/access-list
CSCuu13345
Drop reasons missing from asp-drop capture
CSCuu28909
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel
CSCut56198
Clustering: Traceback in DATAPATH with transparent FW
CSCur56038
RPC error in request config after replicated a large configuration
CSCut49711
show cluster mem indicates incorrect values
CSCut44075
Traceback in snp_cluster_get_buffer
CSCuu66218
ASA is not correctly handling errors on AES-GCM ICV
CSCuu88607
Doubling counting flow bytes for decrypted packets
CSCus56252
Cisco ASA DHCPv6 Relay Denial of Service Vulnerability
CSCut49724
Corrupted host name may occur with DHCP
CSCuu84085
DHCP-DHCP Proxy thread traceback shortly after failover and reload
Release Notes for the Cisco ASA Series, 9.5(x)
37
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCut44082
EIGRP configuration not being correctly replicated between failover ASAs
CSCut92194
ASA traceback in Thread Name: CP Processing
CSCuu16983
ASA: failover logging messages appear in user context
CSCut11895
Failover assembly remained in active-active state permanantly
CSCur07061
Traceback on standby ASA during hitless upgrade
CSCut06531
ASA: XFRAME support for .JS and .JNLP URL's
CSCuv01177
ASA: traceback in IDFW AD agent
CSCuu54660
ASA Remote Access - Phase 1 terminated after xauth
CSCur68226
ASA SMTP inspection should not disable TLS by default
CSCut05676
Handling esmtp default parameters for TLS
CSCze96017
Active ftp-data is blocked by Firepower on Chivas Beta on 5512
CSCuq69907
ASA traceback: thread name "scansafe_poll"
CSCuq99821
ASA/ASASM drops SIP invite packets with From field containing "" and \
CSCut48009
Traceback in thread CP Processing
CSCut83833
USB device hot plug not supported in running ASA
CSCut45114
2048-byte block leak if DNS server replies with "No such name"
CSCuu07799
Cisco ASA DNS Denial of Service Vulnerability
CSCuu02761
DNS should perform IPv4 lookups if IPv6 address is not reachable
CSCuv02304
EEM action not executed on absolute time when NTP is configured
CSCuu36639
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout
CSCur51051
LU allocate connection failed on the Standby ASA unit
CSCuu39636
Cert Auth fails with 'max simultaneous-login restriction' error
CSCuv07126
ikev2 enable added to config when zones are used despite ERROR msg
CSCut80316
Ikev2 Session with bogus assigned IP address stays on ASA
Release Notes for the Cisco ASA Series, 9.5(x)
38
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCus85532
IKEv2: IPSec SA's are created by dynamic crypto map for static peers
CSCut75983
ASA Traceback in PPP
CSCut24490
L2TP/IPSec Optimal MSS is not what it's supposed to be
CSCut64327
L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"
CSCut69675
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect.
CSCus98309
Duplicate IPv6 address is configurable in 1 ASA or context
CSCuu41142
IPv6 local host route fail when setting link-local/Global simultaneously
CSCut01856
ASA dropping traffic with TCP syslog configured in multicontext mode
CSCuu67411
Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg
CSCuu19489
ASA inspection-MPF ACL changes not inserted into ASP table properly
CSCuv07106
ASATraceback in ssh whilst adding new line to extended ACL
CSCuu63656
ASA not generating PIM register packet for directly connected sources
CSCus74398
Cisco ASA PIM Multicast Registration Vulnerability
CSCus14147
ASA generate pool exhausted for sip inspect with embedded IP but no port
CSCti05769
Migration of max_conn/em_limit to MPF is completely wrong in 8.3
CSCui37201
Misleading error msg for pat-pool with mapped object
CSCtz98516
Observed Traceback in SNMP while querying GET BULK for 'xlate count'
CSCut71347
PBA: Generate syslogs for port block allocation related failures
CSCuu33321
Two Dynamic PAT with and without block-allocation
CSCuu39615
eglibc 2.18 is missing upstream fix #15073
CSCus84220
ASA crashes for the OSPFv2 packets from codenomicon
CSCuv01022
ASA:OSPF over L2L tunnels is not working with multiple cry map entries
CSCut52679
Cisco ASA OSPFv2 Denial of Service Vulnerability
CSCuu88548
Ampersand (&) not encoded in packet tracer phase 'extra' field
Release Notes for the Cisco ASA Series, 9.5(x)
39
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCus19673
"no nameif" is removing the policy-route configuration
CSCus86487
PBR: DF & DSCP bits are not getting set without valid set next-hop
CSCus78109
Policy based routing is not working with twice NAT
CSCus63993
ASA - Traceback in thread name: CERT API
CSCuu74823
Cryptomaps lose trustpoint when syncing configuration from cluster unit
CSCuu81932
ASA tunnel-group-map cannot contain spaces
CSCut67965
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached
CSCut15570
Anyconnect SSL VPN certificate authentication fails o ASA
CSCuu46569
ASA CA certificate import fails with different types of Name Constraints
CSCuu45813
ASA Name Constraints dirName improperly verified
CSCut48571
Incorrect cert chain sent to connecting IPSec clients
CSCut75202
PKI: potential pki session handle leak in IKEv2 L2L configurations
CSCus69021
5506-X: 'no buffer' interface counter reports incorrect errors
CSCus62863
Kenton 5516: Interface dropping ARPs after flapping under traffic load
CSCuu75675
kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250
CSCuv72010
Kernel command line is displayed while booting 9.5.1 Image
CSCuq27342
Traceback and reload triggered by failover configuration
CSCut23991
PPPoE session state timer does not initialize properly
CSCuq57307
ASA 8.4 Memory leak due to duplicate entries in ASP table
CSCut67315
ASA :Top 10 Users status is not getting enabled from ASDM.
CSCuu08031
ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ
CSCut37042
Secondary ASA stuck in config sync while upgrading to 8.4.x
CSCuj68919
Multiple problems with output of show processes memory
CSCuv10938
'redistribute' cmds under 'router eigrp' removed on deleting any context
Release Notes for the Cisco ASA Series, 9.5(x)
40
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCus24519
ASA Cluster: Default OSPF route gone on Master unit
CSCuu53928
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA
CSCut01395
ASA silently dropping OSPF LS Update messages from neighbors
CSCuu99349
ASA-3-317012 and "No route to host" errors even though the route exists
CSCuu00733
ASA: ECMP stopped working after upgrade to 9.3.2
CSCus64394
Misleading route-map warning message
CSCur09141
RRI static routing changes not updated in routing table
CSCut10078
Standby ASA does not apply OSPF route after config replication
CSCut26062
xszASA 9.2.1 Eigrp Authentication does not work with 16 character key
CSCuu02635
Remove demo and eval warning for sfr monitor-only
CSCus79307
ASAv cannot send SL messages after toggeling of "service call-home" cmd
CSCus79129
ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg
CSCuu04160
snmpwalk causes slow memory leak on ASA
CSCuu07308
"ssh scopy enable" deleted from configuration
CSCuu52976
ASA not checking the MAC of the TLS records
CSCuu93339
Cisco ASA Poodle TLS Variant
CSCus27650
Cut Through proxy not working correctly with TLS1.2
CSCuu97304
SSL connection failing to WebVPN portal
CSCuv51649
SSL : Unable to Join nodes in Cluster
CSCuu83280
Evaluation of OpenSSL June 2015
CSCut46019
MARCH 2015 OpenSSL Vulnerabilities
CSCuu87823
ASAv traceback in DATAPATH when used for WebVPN
CSCus42901
JANUARY 2015 OpenSSL Vulnerabilities
CSCut64846
To-the-box UDP traffic not getting inspected and getting dropped on ASA
Release Notes for the Cisco ASA Series, 9.5(x)
41
Release Notes for the Cisco ASA Series, 9.5(x)
Resolved Bugs
Identifier
Description
CSCus11465
ASA teardown connection after receiving same direction fins
CSCuu86195
conn-max counter is not decreased accordingly
CSCut04182
NFS connections not timing out after failover
CSCut39985
Per-session PAT RST sent to incorrect direction after closing session
CSCut49111
ASA traceback because of TD tcp-intercept feature
CSCus89139
Exception on asdm_handler stream line: </threat-detection>
CSCus54537
ASAv requires a reboot for the license to take effect.
CSCuu09302
ASAv: RSA key pair needs to be automatically generated with 2048 bits
CSCuu07462
Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno)
CSCus89286
ASA Traceback in SSL library due to DMA memory exhaustion
CSCus53692
ASA traceback in Thread Name: fover_parse
CSCus37840
AnyConnect upgrade from AC 2.5 to AC 3.1 fails
CSCus95290
Cisco ASA VPN XML Parser Denial of Service Vulnerability
CSCuc16662
HTML/Java File Browser- created file or folder shows 9 months offset
CSCut71095
ASA WebVPN clientless cookie authentication bypass
CSCuu48813
WebVpn: portal is not displayed after re-login
CSCuv30184
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread
CSCuu18564
ASA WebVPN : jQuery based Calendar table fails to load; Empty frame
CSCuu18527
ASA WebVPN: HTTP 302 Location URL rewritten incorrectly
CSCuu32905
ASA WebVPN: Javascript fails to execute when accessing internal portal
CSCut85049
Issue with downloading images from Sharepoint
CSCuv38654
rewriter returns 302 for a file download
CSCut35406
Src url of video track tag not mangled via webvpn
CSCut58935
WebVPN: Tsweb fails to work through clientless portal
Release Notes for the Cisco ASA Series, 9.5(x)
42
Release Notes for the Cisco ASA Series, 9.5(x)
End-User License Agreement
Identifier
Description
CSCut39169
WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app
CSCur42776
Mac version smart-tunnel uses SSLv3 which is a vulnerability
CSCuq10239
Windows 8 with new JRE, IE is not gaining access to smart tunnel
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Release Notes for the Cisco ASA Series, 9.5(x)
43
Release Notes for the Cisco ASA Series, 9.5(x)
Related Documentation
Release Notes for the Cisco ASA Series, 9.5(x)
44
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective
owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2017
Cisco Systems, Inc. All rights reserved.