Release Notes for the Cisco ASA Series, 9.5(x)

Release Notes for the Cisco ASA Series, 9.5(x)

First Published: 2015-08-31

Last Modified: 2017-04-17

Release Notes for the Cisco ASA Series, 9.5(x)This document contains release information for Cisco ASA software Version 9.5(x).

Important Notes• Potential Traffic Outage (9.5(3) through 9.5(3.6))—Due to bug CSCvd78303, the ASAmay stop passingtraffic after 213 days of uptime. The effect on each network will be different, but it could range froman issue of limited connectivity to something more extensive like an outage. You must upgrade to a newversion without this bug, when available. In the meantime, you can reboot the ASA to gain another 213days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versionsand more information.

• E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s,pop3s, smtps) and subcommands are no longer supported.

• CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image,show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscanimage) are no longer supported.

The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscanimage migrates to hostscan image.

• Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands(override-account-disable, authentication crack) are no longer supported.

• The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causesdifferences in PKI behavior between these two versions.

For example, ASAs running 9.x software allow you to import certificates with an Organizational NameValue (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificateswith an OU field name of 60 characters. Because of this difference, certificates that can be imported inASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASArunning version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.

System RequirementsThis section lists the system requirements to run this release.

Release Notes for the Cisco ASA Series, 9.5(x) 1

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd78303

http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64291.html

ASA and ASDM CompatibilityFor information about ASA/ASDM software and hardware requirements and compatibility, including modulecompatibility, see Cisco ASA Compatibility.

VPN CompatibilityFor VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

New FeaturesThis section lists new features for each release.

New, changed, and deprecated syslog messages are listed in the syslog message guide.Note

New Features in ASA 9.5(3.9)/ASDM 7.6(2)

Released: April 11, 2017

Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.Note

DescriptionFeature

Remote Access Features

Users can select cipher modes when doing SSH encryption management and can configureHMAC and encryption for varying key exchange algorithms. You might want to change theciphers to be more or less strict, depending on your application. Note that the performance ofsecure copy depends partly on the encryption cipher used. By default, the ASA negotiatesone of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbcaes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, thenthe performance is much slower than a more efficient algorithm such as aes128-cbc. To changethe proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced >SSH Ciphers

Also available in 9.1(7) and 9.4(3).

Configurable SSH encryption andHMAC algorithm.

Release Notes for the Cisco ASA Series, 9.5(x)2

Release Notes for the Cisco ASA Series, 9.5(x)ASA and ASDM Compatibility

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html


New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)

Released: January 28, 2016

This release supports only the ASAv.Note

DescriptionFeature

Platform Features

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper VHypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper VHypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3,which supports four vCPUs, 14 GB, and four interfaces.

Microsoft Azure support on theASAv10

Licensing Features

For highly secure environments where communicationwith the Cisco Smart SoftwareManageris not allowed, you can request a permanent license for the ASAv.

Not all accounts are approved for permanent license reservation.Make sure you haveapproval from Cisco for this feature before you attempt to configure it.

Note

We introduced the following commands: license smart reservation, license smart reservationcancel, license smart reservation install, license smart reservation request universal,license smart reservation return

No ASDM support.

Permanent License Reservation forthe ASAv

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supportspermanent license reservation and also supports setting the Strong Encryption (3DES/AES)license entitlement according to the permission set in your license account.

If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensingregistration state. You need to re-register with the license smart register idtokenid_token force commandConfiguration > Device Management > Licensing >Smart Licensing page with the Force registration option; obtain the ID token fromthe Smart Software Manager.

Note

We introduced the following commands: show license status, show license summary, showlicense udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, showlicense pool, show license registration

We did not change any screens.

Smart Agent Upgrade to v1.6


Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)

New Features in ASA 9.5(2.1)/ASDM 7.5(2)

Released: December 14, 2015

This release supports only the ASA on the Firepower 9300.Note

DescriptionFeature

Platform Features

With FXOS 1.1.3, you can now configure VPN features.VPN support for the ASA on theFirepower 9300

Firewall Features

You can identify flows that should be off-loaded from the ASA and switched directly in theNIC (on the Firepower 9300). This provides improved performance for large data flows indata centers.

Also requires FXOS 1.1.3.

We added or modified the following commands: clear flow-offload, flow-offload enable,set-connection advanced-options flow-offload, show conn detail, show flow-offload.

We added or modified the following screens: Configuration > Firewall > Advanced >Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rulesunder Configuration > Firewall > Service Policy Rules.

Flow off-load for the ASA on theFirepower 9300

High Availability Features

With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering.You can include up to 6 modules in up to 6 chassis.

We did not modify any commands.

We did not modify any screens.

Inter-chassis clustering for 6modules, and inter-site clustering forthe ASA on the Firepower 9300

Licensing Features

For regular Cisco Smart SoftwareManager users, the Strong Encryption license is automaticallyenabled for qualified customers when you apply the registration token on the Firepower 9300.

If you are using the Smart Software Manager satellite deployment, to use ASDMand other strong encryption features, after you deploy the ASA you must enable theStrong Encryption (3DES) license using the ASA CLI.

Note

This feature requires FXOS 1.1.3.

We removed the following command for non-satellite configurations: featurestrong-encryption

We modified the following screen: Configuration > Device Management > Licensing >Smart License

Strong Encryption (3DES) licenseautomatically applied for the ASAon the Firepower 9300


Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2.1)/ASDM 7.5(2)

New Features in ASA 9.5(2)/ASDM 7.5(2)

Released: November 30, 2015

DescriptionFeature

Platform Features

The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It islow-power, fan-less, with Gigabit Ethernet and a dedicated management port. This modelcomes with the ASA Firepower module pre-installed. Special features for this model includea customized transparent mode default configuration, as well as a hardware bypass functionto allow traffic to continue flowing through the appliance when there is a loss of power.

We introduced the following command: hardware-bypass, hardware-bypass manual,hardware-bypass boot-delay

We modified the following screen: Configuration > Device Management > HardwareBypass

Also in Version 9.4(1.225).

Cisco ISA 3000 Support

Firewall Features

DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages.You can also now filter on DCERPC message universally unique identifiers (UUIDs) to resetor log particular message types. There is a new DCERPC inspection class map for UUIDfiltering.

We introduced the following command:match [not] uuid. We modified the followingcommand: class-map type inspect.

We added the following screen: Configuration > Firewall > Objects > Class Maps >DCERPC.

We modified the following screen:Configuration > Firewall > Objects > Inspect Maps> DCERPC.

DCERPC inspection improvementsand UUID filtering

You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.

We introduced or modified the following commands: class-map type inspect diameter,diameter, inspect diameter, match application-id, match avp, match command-code,policy-map type inspect diameter, show conn detail, show diameter, show service-policyinspect diameter, unsupported

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > ProtocolInspection tab

Diameter inspection


Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(2)/ASDM 7.5(2)

DescriptionFeature

You can now use the SCTP protocol and port specifications in service objects, access controllists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrierlicense.

We introduced the following commands: access-list extended , clear conn protocol sctp,inspect sctp,match ppid, nat static (object), policy-map type inspect sctp, service-object,service, set connection advanced-options sctp-state-bypass, show conn protocol sctp,show local-host connection sctp, show service-policy inspect sctp, timeout sctp

We added or modified the following screens:

Configuration > Firewall > Access Rules add/edit dialogs

Configuration > Firewall > Advanced > ACL Manager add/edit dialogs

Configuration > Firewall > Advanced > Global Timeouts

Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NATSettings dialog box

Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs

Configuration > Firewall > Objects > Inspect Maps > SCTP

Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > ProtocolInspection and Connection Settings tabs

SCTP inspection and access control

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, ratherthan have NAT allocate one port translation at a time (see RFC 6888). This feature is nowsupported in failover and ASA cluster deployments.

We modified the following command: show local-host


Carrier Grade NAT enhancementsnow supported in failover and ASAclustering

The captive portal feature is required to enable active authentication using identity policiesstarting with ASA FirePOWER 6.0.

We introduced or modified the following commands: captive-portal, clear configurecaptive-portal, show running-config captive-portal.

Captive portal for activeauthentication onASAFirePOWER6.0.




DescriptionFeature

Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity fromits location into two different numbering spaces, making server migration transparent to clients.The ASA can inspect LISP traffic for location changes and then use this information forseamless clustering operation; the ASA cluster members inspect LISP traffic passing betweenthe first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and thenchange the flow owner to be at the new site.

We introduced or modified the following commands: allowed-eid, clear cluster infoflow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug clusterflow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-maptype inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster infoflow-mobility counters, show conn, show lisp eid, show service-policy, validate-key

We introduced or modified the following screens:

Configuration >Device Management >High Availability and Scalability >ASA Cluster> Cluster Configuration

Configuration > Firewall > Objects > Inspect Maps > LISP

Configuration > Firewall > Service Policy Rules > Protocol Inspection

Configuration > Firewall > Service Policy Rules > Cluster

Monitoring > Routing > LISP-EID Table

LISP Inspection for Inter-Site FlowMobility

The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by defaultin the base license.



ASA 5516-X support for clustering

By default, all levels of clustering events are included in the trace buffer, including many lowlevel events. To limit the trace to higher level events, you can set the minimum trace level forthe cluster.

We introduced the following command: trace-level


Configurable level for clusteringtrace entries

Interface Features

You can now configure one or more secondary VLANs for a subinterface. When the ASAreceives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

We introduced or modified the following commands: vlan secondary, show vlan mapping

We modified the following screens: Configuration > Device Setup > Interface Settings >Interfaces

Configuration >Device Setup > Interface Settings > Interfaces >Add Interface >General

Support to map Secondary VLANsto a Primary VLAN

Routing Features



DescriptionFeature

The ASA currently supports configuring static RPs to route multicast traffic for differentgroups. For large complex networks where multiple RPs could exist, the ASA now supportsdynamic RP selection using PIM BSR to support mobility of RPs.

We introduced the following commands: clear pim group-map, debug pim bsr, pimbsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers

We introduced the following screen: Configuration > Device Setup > Routing >Multicast> PIM > Bootstrap Router

PIMBootstrapRouter (BSR) supportfor multicast routing


You can now use the following remote access features in multiple context mode:

• AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)

• Centralized AnyConnect image configuration

• AnyConnect image upgrade

• Context Resource Management for AnyConnect connections

The AnyConnect Apex license is required for multiple context mode; you cannot usethe default or legacy license.

Note

We introduced the following commands: limit-resource vpn anyconnect, limit-resourcevpn burst anyconnect

We modified the following screen: Configuration > Context Management > ResourceClass > Add Resource Class

Support for Remote Access VPN inmultiple context mode

The ASA acts as a SAML Service Provider.Clientless SSL VPN offers SAML2.0-based Single Sign-On (SSO)functionality

You can debug logs by filtering, based on the filter condition sets, and can then better analyzethem.

We introduced the following additions to the debug command:

• [no] debug webvpn condition user <user name>

• [no] debug webvpn condition group <group name>

• [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]

• [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]

• debug webvpn condition reset

• show debug webvpn condition

• show webvpn debug-condition

Clientless SSL VPN conditionaldebugging



DescriptionFeature

The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPNcache provides better stability. If you want to enable the cache, you must manually enable it.

webvpncache

no disable

We modified the following command: cache

We modified the following screen: Configuration > Remote Access VPN > Clientless SSLVPN Access > Advanced > Content Cache

Clientless SSL VPN cache disabledby default

Licensing Features

Smart licensing uses the Smart Call Home infrastructure. When the ASA first configuresSmart Call Home anonymous reporting in the background, it automatically creates a trustpointcontaining the certificate of the CA that issued the Smart Call Home server certificate. TheASA now supports validation of the certificate if the issuing hierarchy of the server certificatechanges; you can enable the automatic update of the trustpool bundle at periodic intervals.

We introduced the following command: auto-import

We modified the following screen: Configuration > Remote Access VPN > CertificateManagement > Trusted Certificate Pool > Edit Policy

Validation of the Smart CallHome/Smart Licensing certificate ifthe issuing hierarchy of the servercertificate changes

The new Carrier license replaces the existing GTP/GPRS license, and also includes supportfor SCTP and Diameter inspection. For the ASA on the Firepower 9300, the featuremobile-spcommand will automatically migrate to the feature carrier command.

We introduced or modified the following commands: feature carrier, show activation-key,show license, show tech-support, show version

We modified the following screen: Configuration > Device Management > Licensing >Smart License

New Carrier license

Monitoring Features

In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three setsof engineIDs are maintained per ASA—synced engineID, native engineID and remoteengineID.

An SNMPv3 user can also specify the engineID of the ASAwhen creating a profile to preservelocalized snmp-server user authentication and privacy options. If a user does not specify thenative engineID, the show running config output will show two engineIDs per user.

We modified the following commands: snmp-server user, no snmp-server user

We did not add or modify any screens.

Also available in 9.4(3).

SNMP engineID sync



DescriptionFeature

The show tech support command now:

• Includes dir all-filesystems output—This output can be helpful in the following cases:

◦SSL VPN configuration: check if the required resources are on the ASA

◦Crash: check for the date timestamp and presence of a crash file

• Removes the show kernel cgroup-controller detail output—This command outputwill remain in the output of show tech-support detail.

We modified the following command: show tech support

We did not add or modify any screens.

Also available in 9.1(7) and 9.4(3).

show tech support enhancements

Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if theSSH connection were disconnected (due to network connectivity or timeout), then the debugswere removed. Now, debugs persist for as long as the logging command is in effect.

We modified the following command: logging debug-trace


logging debug-trace persistence

New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)

Released: November 11, 2015

DescriptionFeature

Platform Features

The 6.0 software version for the ASA FirePOWER module is supported on all previouslysupported device models.

Support for ASA FirePOWER 6.0

You can manage the ASA FirePOWER module using ASDM instead of using FirepowerManagement Center (formerly FireSIGHT Management Center) when running version 6.0on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X,5506W-X, 5508-X, and 5516-X when running 6.0.

No new screens or commands were added.

Support for managing the ASAFirePOWERmodule throughASDMfor the 5512-X through 5585-X.


Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)

New Features in ASDM 7.5(1.90)

Released: October 14, 2015

DescriptionFeature


ASDM supports AnyConnect 4.2 and the Network VisibilityModule (NVM). NVM enhancesthe enterprise administrator’s ability to do capacity and service planning, auditing, compliance,and security analytics. The NVM collects the endpoint telemetry and logs both the flow dataand the file reputation in the syslog and also exports the flow records to a collector (a third-partyvendor), which performs the file analysis and provides a UI interface.

Wemodified the following screen:Configuration >Remote Access VPN>Network (Client)Access > AnyConnect Client Profile (a new profile called Network Visibility ServiceProfile)

AnyConnect Version 4.2 support

New Features in ASAv 9.5(1.200)/ASDM 7.5(1)

Released: August 31, 2015

This release supports only the ASAv.Note

DescriptionFeature

Platform Features

Extends the hypervisor portfolio for the ASAv.Microsoft Hyper-V supervisorsupport

The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. Foralready-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will seean error that you are using more memory than is licensed.

ASAv5 low memory support

New Features in ASA 9.5(1)/ASDM 7.5(1)

Released: August 12, 2015

This version does not support the Firepower 9300 ASA security module or the ISA 3000.Note


Release Notes for the Cisco ASA Series, 9.5(x)New Features in ASDM 7.5(1.90)

DescriptionFeature

Firewall Features

GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions nowsupports IPv6 addresses.

We modified the following commands: clear service-policy inspect gtp statistics, clearservice-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, matchmessageid, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request,show service-policy inspect gtp statistics, timeout endpoint

We deprecated the following command: timeout gsn

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >GTP

GTPv2 inspection and improvementsto GTPv0/1 inspection

IP Options inspection now supports all possible IP options. You can tune the inspection toallow, clear, or drop any standard or experimental options, including those not yet defined.You can also set a default behavior for options not explicitly defined in an IP options inspectionmap.

We introduced the following commands: basic-security, commercial-security, default,exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start,record-route, timestamp

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >IP Options

IP Options inspection improvements

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, ratherthan have NAT allocate one port translation at a time (see RFC 6888).

We introduced the following commands: xlate block-allocation size, xlate block-allocationmaximum-per-host. We added the block-allocation keyword to the nat command.

We introduced the following screen: Configuration > Firewall > Advanced > PAT PortBlock Allocation. We addedEnable Block Allocation the object NAT and twice NAT dialogboxes.

Carrier Grade NAT enhancements


You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoidMAC address flapping, configure a site ID for each cluster member so that a site-specificMAC address for each interface can be shared among a site’s units.We introduced or modified the following commands: site-id, mac-address site-id, showcluster info, show interface

Wemodified the following screen:Configuration >DeviceManagement >HighAvailabilityand Scalability > ASA Cluster > Cluster Configuration

Inter-site clustering support forSpanned EtherChannel in Routedfirewall mode



DescriptionFeature

You can now customize the auto-rejoin behavior when an interface or the cluster control linkfails.

We introduced the following command: health-check auto-rejoin

We introduced the following screen: Configuration > Device Management > HighAvailability and Scalability > ASA Cluster > Auto Rejoin

ASA cluster customization of theauto-rejoin behavior when aninterface or the cluster control linkfails

The ASA cluster now supports GTPv1 and GTPv2 inspection.



The ASA cluster supports GTPv1and GTPv2

This feature helps eliminate the “unnecessary work” related to short-lived flows by delayingthe director/backup flow creation.

We introduced the following command: cluster replication delay

We introduced the following screen: Configuration > Device Management > HighAvailability and Scalability > ASA Cluster Replication

Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).

Cluster replication delay for TCPconnections

By default when using clustering, the ASAmonitors the health of an installed hardwaremodulesuch as the ASA FirePOWERmodule. If you do not want a hardware module failure to triggerfailover, you can disable module monitoring.

We modified the following command: health-check monitor-interface service-module

Wemodified the following screen:Configuration >DeviceManagement >HighAvailabilityand Scalability > ASA Cluster > Cluster Interface Health Monitoring

Disable health monitoring of ahardware module in ASA clustering

On the ASA 5506H only, you can now configure theManagement 1/1 interface as the failoverlink. This feature lets you use all other interfaces on the device as data interfaces. Note thatif you use this feature, you cannot use the ASA Firepower module, which requires theManagement 1/1 interface to remain as a regular management interface.

We modified the following commands: failover lan interface, failover link

Wemodified the following screen:Configuration >DeviceManagement >HighAvailabilityand Scalability > Failover > Setup

Enable use of the Management 1/1interface as the failover link on theASA 5506H

Routing Features

IPv6 addresses are now supported for Policy Based Routing.

We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, setipv6 dscp

We modified the following screens:

Configuration >Device Setup >Routing >RouteMaps >AddRouteMap > Policy BasedRouting Configuration > Device Setup > Routing > Route Maps > Add Route Maps >Match Clause

Support for IPv6 in Policy BasedRouting



DescriptionFeature

You can now enable Policy Based Routing on a VNI interface.


We modified the following screen: Configuration > Device Setup > Interface Settings >Interfaces > Add/Edit Interface > General

VXLAN support for Policy BasedRouting

You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall andCisco TrustSec ACLs in Policy Based Routing route maps.


Wemodified the following screen:Configuration > Device Setup > Routing > RouteMaps> Add Route Maps > Match Clause

Policy Based Routing support forIdentity Firewall and Cisco Trustsec

To segregate and isolate management traffic from data traffic, the ASA now supports a separaterouting table for management-only interfaces.

We introduced or modified the following commands: backup, clear ipv6 routemanagement-only, clear route management-only, configure http, configure net, copy,enrollment source, name-server, restore, show asp table route-management-only, showipv6 route management-only show route management-only


Separate routing table formanagement-only interfaces

The ASA now allows PIM-SSM packets to pass through when you enable multicast routing,unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing amulticast group while also protecting against different attacks; hosts only receive traffic fromexplicitly-requested sources.



Protocol Independent MulticastSource-Specific Multicast(PIM-SSM) pass-through support


ASAVPN code has been enhanced to support full IPv6 capabilities. No configuration changeis necessary for the administrator.

IPv6 VLAN Mapping

Added support and a predefined application template for this new SharePoint version.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSLVPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type >Predefined application templates

Clientless SSL VPN SharePoint2013 Support

Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to thelist of macros when using bookmarks. These macros allow the administrator to configure asingle bookmark that can generate multiple bookmark links on the clientless user’s portal andto statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAPattribute maps.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSLVPN Access > Portal > Bookmarks

Dynamic Bookmarks for ClientlessVPN



DescriptionFeature

The overall banner length, which is displayed during post-login on the VPN remote clientportal, has increased from 500 to 4000.

We modified the following command: banner (group-policy).

We modified the following screen: Configuration > Remote Access VPN > .... Add/EditInternal Group Policy > General Parameters > Banner

VPN Banner Length Increase

This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X.The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices(computers, printers, and so on) behind the ASA on the Easy VPN port can communicateover the VPN; they do not have to run VPN clients individually. Note that only one ASAinterface can act as the Easy VPN port; to connect multiple devices to that port, you need toplace a Layer 2 switch on the port, and then connect your devices to the switch.

We introduced the following commands: vpnclient enable, vpnclient server, vpnclientmode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclientvpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt

We introduced the following screen: Configuration > VPN > Easy VPN Remote

Cisco Easy VPN client on the ASA5506-X, 5506W-X, 5506H-X, and5508-X

Monitoring Features

You can now show invalid usernames in syslog messages for unsuccessful login attempts.The default setting is to hide usernames when the username is invalid or if the validity isunknown. If a user accidentally types a password instead of a username, for example, then itis more secure to hide the “username” in the resultant syslog message. You might want toshow invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

We modified the following screen: Configuration > Device Management > Logging >Syslog Setup

This feature is also available in 9.2(4) and 9.3(3).

Show invalid usernames in syslogmessages

REST API Features

We added support for the REST API Version 1.2.1.REST API Version 1.2.1

Upgrade the SoftwareThis section provides the upgrade path information and a link to complete your upgrade.

Upgrade PathSee the following table for the upgrade path for your version. Some versions require an interim upgrade beforeyou can upgrade to the latest version.


Release Notes for the Cisco ASA Series, 9.5(x)Upgrade the Software

Then Upgrade to:First Upgrade to:Current ASA Version

9.1(3) and later8.4(6)8.2(x) and earlier

9.1(3) and later8.4(6)8.3(x)

9.1(3) and later8.4(6) or 9.0(2+)8.4(1) through 8.4(4)

9.1(3) and later—8.4(5+)

9.1(3) and later9.0(2+)8.5(1)

9.1(3) and later9.0(2+)8.6(1)

9.1(3) and later9.0(2+)9.0(1)

9.1(3) and later—9.0(2+)

9.1(3) and later9.1(2)9.1(1)

9.1(3) and later—9.1(2+)

9.2(2) and later—9.2(x)

9.3(2) and later—9.3(x)

9.4(2) and later—9.4(x)

9.5(2) and later—9.5(x)

9.6(2) and later—9.6(x)

9.8(1) and later—9.7(x)

Upgrade LinkTo complete your upgrade, see Upgrade to ASA 9.4 and ASDM 7.4.

Open and Resolved BugsThe open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-basedtool provides you with access to the Cisco bug tracking system, which maintains information about bugs andvulnerabilities in this product and other Cisco hardware and software products.


Release Notes for the Cisco ASA Series, 9.5(x)Upgrade Link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/upgrade/upgrade95.html

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not haveone, you can register for an account. If you do not have a Cisco support contract, you can only look upbugs by ID; you cannot run searches.

Note

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.5(x)If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higherfor Version 9.5(x):

• 9.5 open bug search.

The following table lists open bugs at the time of this Release Note publication.

DescriptionCaveat ID Number

OpenLDAP needs to be upgraded or patchedCSCto19832

Traceback: ASA crash in thread name fover_health_monitoring_threadCSCuv86562

ASA5508X SSD LED always green even when SSD is removedCSCuw83618

Free memory drops to 0 after clientless VPN TestCSCux20294

ASA/DOC: Spaces can be used in LDAP DNCSCux75565

XMLSoft libxml2 Encoding Conversion Denial of Service VulnerabilityCSCux85525

XMLSoft libxml2 xmlParserInputGrow Function Denial of Service VulnerabCSCux85527

XMLSoft libxml2 XML Entity Processing Denial of Service VulnerabilityCSCux85528

XMLSoft libxml2 xmlNextChar Function Memory Corruption VulnerabilityCSCux85532

XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service VulnerabiliCSCux85533

DOC: ASA IPV6 LAN-to-LAN VPNs is compatible with non-ASA peersCSCuy28172

5508 and 5516 Devices may not boot 9.5.1 or later imagesCSCuy47780

libxml2 htmlParseNameComplex() Function Denial of Service VulnerabilitCSCuy85511

XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion DenialCSCuz05856

Configuration retrieval from external server fails in multicontext modeCSCuz67536

ASA 5506 interface Counters & OIDs showing incorrect value for traffic!CSCuz81201


Release Notes for the Cisco ASA Series, 9.5(x)Open Bugs in Version 9.5(x)

https://tools.cisco.com/IDREG/guestRegistration.do

http://www.cisco.com/web/applicat/cbsshelp/help.html

https://tools.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.5&sb=afr&sts=open&svr=3nH&srtBy=byRel&bt=custV

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCto19832

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv86562

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw83618

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux20294







https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28172



https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz05856




OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500CSCva32092

ASA traceback in CLI thread while making MPF changesCSCva39094

ASAv Azure: ASAv not responding or passing trafficCSCva46651

ASAv-Azure: waagent may reload when asav deployed with load balancerCSCva52514

Shut down interfaces shows up in ASP routing tableCSCva62667

Unable to relay DHCP discover packet from ASA when NAT is matchedCSCva69346

SIP packets mangled when using TLS1.2 and ASA is serverCSCva70079

Linux Kernel NULL Pointer Dereference Denial of Service VulnerabilityCSCva72317

XMLSoft libxml2 XML Content Processing External Entity Expansion VulneCSCva72318

XMLSoft libxml2 Format String VulnerabilityCSCva72319

ASAv: TCP state bypass not matching the traffic requiredCSCva79278

ASA Crash Checkheap Free Buffer CorruptedCSCva84089

Interfaces get deleted on SFR during Multi-context HA configuration syncCSCva89342

ASAv Azure: ASAv30 Anyconnect peer support.CSCvb11599

ASA : Botnet update fails with a lot of ErrorsCSCvb13690

Resolved BugsThis section lists resolved bugs per release.

Resolved Bugs in Version 9.5(3.9)

The following table lists select resolved bugs at the time of this Release Note publication.


Packet captures cause CPU spike on Multi-Core platforms due to spin_lockCSCtw90511

ARP: Proxy IP traffic is hijacked.CSCuc11186

FIPS self test power on fails - fipsPostDrbgKatCSCum70304

ASA traceback on standby when SNMP pollingCSCum74032


Release Notes for the Cisco ASA Series, 9.5(x)Resolved Bugs

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva32092













https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb11599


https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtw90511

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuc11186

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum70304

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum74032


ASA traceback when retrieving idfw topn user from slaveCSCun21186

Stale VPN Context entries cause ASA to stop encrypting trafficCSCup37416

"show resource usage detail counter all 1" causes cpu hogCSCup96099

ASA classifies TCP packets as PAWS failure incorrectlyCSCuq80704

ASA low DMA memory on low end ASA-X -5512/5515 devicesCSCur87011

Transactional ACL commit will bypass security policy during compilationCSCus10787

Share licenses are not activated on failover pair after power cycleCSCus16416

ASA traceback in Thread name DATAPATH when handling multicast packetCSCus37458

ASA traffic not sent properly using 'traffic-forward sfr monitor-only'CSCus53126

ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSLCSCut10103

Cisco ASA XML Denial of Service VulnerabilityCSCut14209

ASA: Stuck uauth entry rejects AnyConnect user connectionsCSCuu48197

ASA Traceback on 9.1.5.19CSCuu50708

Traceback in Thread Name: ssh when using capture or continuous pingCSCuv20449

9.5.1 - Crash in bcm_esw_init threadCSCuv47191

ASA traceback on Standby device during config sync in thread DATAPATHCSCuv49446

Traceback: ASA crash in thread name fover_health_monitoring_threadCSCuv86562

ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RSTCSCuw02009

ASA traceback while restoring backup configuration from ASDMCSCuw19671

Cisco ASA Software Version Information Disclosure VulnerabilityCSCuw28735

ASA - Filtering HTTP via Websense or SFR may cause memory corruptionCSCuw39685

Watchdog traceback in ldap_client_thread with large number of ldap grpsCSCuw44038

QEMU coredump: qemu_thread_create: Resource temporarily unavailableCSCuw48499

SSH connections are not timed out on ASA (stuck in rtcli)CSCuw51576



https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun21186

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCup37416

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCup96099

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq80704

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur87011

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus10787




https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut10103

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut14209

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu48197

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu50708













Standby ASA traceback in Thread Name: EIGRP-IPv4CSCuw55813

Traceback in Unicorn Proxy Thread, in http_header_by_nameCSCuw71147

ASA: Traceback in Thread name DATAPATH-7-1918CSCuw87331

ASA 9.4.1 traceback upon clearing and reconfiguring ACLCSCuw90116

Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads UnexpectedlyCSCuw92005

After some time flash operations fail and configuration can not be savedCSCuw95262

Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS)CSCux00686

Traceback in thread name: Unicorn Proxy ThreadCSCux03626

RSA 4096 key generation causes failoverCSCux05081

ASA: assertion "pp->pd == pd" failed: file "main.c", line 192CSCux07002

CWS: ASA does not append XSS headersCSCux08783

ASA: Traceback in CheckheapsCSCux08838

http-form authentication fails after 9.3.2CSCux09181

ASA traceback when using an ECDSA certificateCSCux09310

Smart Tunnel starts and Java closes without any messageCSCux10499

ASA traceback in Unicorn Proxy ThreadCSCux11440

show memory indicates inaccurate free memory availableCSCux15273

PBR incorrect route selection for deny clauseCSCux16427

ASA memory leak related to BotnetCSCux17527

SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIBCSCux18455

OSPF neighbor goes down after "reload in xx" commnad in 9.2 and laterCSCux20178

ASA: FAILOVER not working with password encryption.CSCux21955

ASA 9.1.6.10 traceback after remove compact flash and execute dir cmdCSCux23659

Primary and Secondary ASA in HA is traceback in Thread Name:DataPathCSCux29842




























ASA 9.4.2 traceback in DATAPATHCSCux29929

GTPv1 traceback in gtpv1_process_msgCSCux30780

ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]CSCux33808

Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled testCSCux35538

PBR: Mem leak in cluster mode due to policy based routeCSCux36112

Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS relatedCSCux37303

Cisco signed certificate expired for WebVpn Port Forward Binary on ASACSCux37442

Evaluation of pix-asa for OpenSSL December 2015 VulnerabilitiesCSCux41145

ASA 9.5.1 traceback in Threadname Datapath due to SIP InspectionCSCux42936

DHCP Relay fails for cluster ASAs with long interface namesCSCux43978

SSL sessions stop processing -"Unable to create session directory" errorCSCux45179

ASA(9.5.2) changing the ACK number sent to client with SFR redirectionCSCux47195

"no ipv6-vpn-addr-assign" CLI not workingCSCux56111

ASA L7 policy-map comes into affect only if the inspection is re-appliedCSCux59122

ASA: Traceback in Thread IP Address AssignCSCux61257

Traffic drop due to constant amount of arp on ASASMCSCux66866

ASA: Traceback on ASA device after adding FQDN objects in NAT ruleCSCux69987

ASA traceback while viewing large ACLCSCux70784

Reload in Thread Name: IKE DaemonCSCux70998

"show resource usage" gives wrong number of routes after shut/no shCSCux71197

ASA TACACS+: process tacplus_snd uses large percentage of CPUCSCux72610

ASA 9.5 - OCSP check using global routing table instead of managementCSCux72835

ASA Traceback on Thread Name: Unicorn Admin HandlerCSCux81683

Nat pool exhausted observed when enabling asp transactional-commit natCSCux82835




























VLAN mapping doesn't work when connection falls back to TLSCSCux86769

ASA traceback in Thread Name: https_proxyCSCux87457

ASA traceback in DATAPATH threadCSCux88237

ASA Traceback Assert in Thread Name: ssh_init with component sshCSCux92157

Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728CSCux93751

ASA using a huge dynamic ACL may cause Anyconnect connectivity failuresCSCux94598

ASA tracebacks when replicating Xlate to the standby/slaveCSCux96716

ASA reloads with traceback in thread name DATAPATH or CP ProcessingCSCux98029

Traceback in Thread: IPsec message handlerCSCuy00296

ASA traceback in Thread Name: Unicorn Proxy Thread.CSCuy01420

ASA traceback with SIP inspection and SFR enabled in 9.5.2CSCuy01438

ASA traceback and reload citing Thread Name: idfw_procCSCuy03024

ASA: MAC address changes on active context when WRITE STANDBY is issuedCSCuy05949

Re-adding context creates context without configs on some slavesCSCuy06125

Smart tunnel does not work since Firefox 32bit version 43CSCuy07753

ASA: Assert traceback in version 9.4.2CSCuy11281

ASA 5585 traceback when the User name is mentioned in the Access listCSCuy11905

ASA Watchdog traceback in CP Processing thread during TLS processingCSCuy13937

ASA may traceback with:DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685

CSCuy15636

Traceback when drop is enabled with diameter inspection and tls-proxyCSCuy21206

STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reloadCSCuy21287

VPN Load-Balancing does not send load-balancing cert for IPv6 AddressCSCuy22561

Cisco ASA ACL ICMP Echo Request Code Filtering VulnerabilityCSCuy25163

Traceback in ldap_client_thread with ldap attr mapping and pw-mgmtCSCuy32321




























VPN LB stops working when cluster encryption is configuredCSCuy32728

ASA Crash on cluster member or on standby member of failover pair after replicationof conns

CSCuy32964

ASA Access-list missing and losing elements after configuration changeCSCuy34265

Can't navigate to OWA 2013 due to ssl errorsCSCuy36897

Traceback: assertion "0" failed: file "ctm_daemon.c"CSCuy40207

OCSP validation fails when multiple certs in chain are verifiedCSCuy41986

BGP:Deployment failed with reason supported on management-only interfaceCSCuy42223

ASA reloads in thread name: DATAPATH while encrypting L2L packetCSCuy43839

BVI : Interface IPv6 address deleted from standby context on HA - A/ACSCuy44472

ASA : Configuration not replicated on mate if standby IP is missingCSCuy45475

Traceback at gtpv1_process_pdp_create_reqCSCuy47706

Crash in proxyi_rx_q_timeout_timerCSCuy50406

Buffer overflow in RAMFS dirent structure causing tracebackCSCuy51918

Evaluation of pix-asa for OpenSSL March 2016CSCuy54567

Unicorn Proxy Thread causing CP contentionCSCuy55468

ASAv sub-interface failing to send traffic with customised mac-addressCSCuy57644

ASA 9.1(6) traceback processing outbound DTLS PacketCSCuy63642

Cisco ASA Software DHCP Relay Denial of Service vulnerabilityCSCuy66942

Traceback in thread name idfw when modifying object-group having FQDNCSCuy73652

Assert Traceback in Thread Name: DATAPATH on clustered packet reassemblyCSCuy74218

orignial master not defending all GARP packets after cluster split brainCSCuy78802

OSPF routes not populating over L2L tunnelCSCuy80070

ASA crashes when global access-list config is clearedCSCuy82905

ASA traceback when receive Radius attribute with improper variable typeCSCuy85243




























ASA - Traceback in CP Processing Thread During Private Key DecryptionCSCuy87597

ASA may stop responding to OSPF Hello packetsCSCuy90936

Improve efficiency of malloc_avail_freemem()CSCuy95543

ASA clientless rewriter failure at 'CSCOPut_hash' functionCSCuy96391

ASA 9.1.6.4 traceback with Thread Name: telnet/ciCSCuz00077

Memory leak in 112 byte bin when packet hits PBR and WCCP rulesCSCuz04534

ASA traceback in SSH threadCSCuz08625

ASA does not respond to NS in Active/Active HACSCuz09255

infinite loop in JS rewriter state machine when return followed by varCSCuz09394

ASA Traceback and reload by strncpy_sx.cCSCuz10371

Kenton 9.5.1'boot system/boot config' commands not retained after reloadCSCuz14600

5585-10 traceback in Thread Name: idfw_procCSCuz14808

Incorrect modification of NAT divert table.CSCuz16398

9.6.2 EST - assertion "0" failed: file "snp_vxlan.c"CSCuz16565

CSCOPut_hash can initiate unexepected requestsCSCuz21068

ASA traceback in threadname sshCSCuz21178

CPU usage is high after timer dequeue failed in GTPCSCuz23354

Context config may get rejected if all the units in Cluster reloadedCSCuz28000

Network command disappears from BGP after reload with nameCSCuz30425

Traceback in IKEv2 Daemon with 20+ second CPU hog.CSCuz33255

Traceback on editing a network object on exceeding the max snmp hostsCSCuz36938

ASA Tback when large ACL applied to interface with object-group-searchCSCuz38115

ASA: Page Fault traceback in DATAPATH on standby ASA after booting upCSCuz38180

WebVPN rewrite fails for MSCA Cert enrollment page / VBScriptCSCuz38888




























ASA memory leak due to vpnfoCSCuz40081

Interfaces get deleted on SFR during HA configuration syncCSCuz40793

ASA Stateful failover for DRP works intermittentlyCSCuz42390

Traceback data path self deadlock panic while attempt to get spin lockCSCuz44687

Commands not installed on Standby due to parser switchCSCuz44968

Cisco ASA Software Local Certificate Authority Denial of Service VulnerabilityCSCuz47295

Evaluation of pix-asa for OpenSSL May 2016CSCuz52474

ASA: Traceback on ASA in Datapath as we enable SFR traffic redirectionCSCuz54193

ASA Address not mapped traceback - configuring snmp-server hostCSCuz54545

Interface health-check failover causes OSPF not to advertise ASA as ABRCSCuz61092

Observing Memory corruption, assert for debug ospfCSCuz63531

GTP traceback at gtp_update_sig_conn_timestamp while processing dataCSCuz64603

ASA Cut-through Proxy inactivity timeout not workingCSCuz66661

ASA Cluster fragments reassembled before transmission with no inspectionCSCuz67349

ASA may Traceback with Thread Name: cluster rx threadCSCuz67590

ASA may Traceback with Thread Name: Unicorn Admin HandlerCSCuz67596

ASA crashed due to Election severe problem no master is promotedCSCuz67690

ASA: SSH being denied on the ASA device as the maximum limit is reachedCSCuz70330

traceback during tls-proxy handshakeCSCuz72352

IPv6 neighbor discovery packet processing behaviorCSCuz80281

2048/1550/9344 Byte block leak cause traffic disruption & module failureCSCuz90648

ASA with PAT fails to untranslate SIP Via field that doesnt contain portCSCuz92074

ASA crashes while clearing global access-listCSCuz92921

IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuckCSCuz94862




























DNS Doctoring DNS64 is not workingCSCuz95806

ASA traceback with Thread Name: Dispatch UnitCSCuz98220

Traceback in CP Processing thread after upgradeCSCuz98704

ASA 9.4.2.6 High CPU due to CTM message handler due to chip resetsCSCva00190

Remove ACL warning messages in show access-list when FQDN is resolvedCSCva00939

Unexpected end of file logon.html in WebVPNCSCva01570

ASA not rate limiting with DSCP bit set from the ServerCSCva02817

show service-policy output reporting incorrect valuesCSCva03607

ASA : Mem leak in cluster mode due to PBR lookupCSCva03982

ASA ASSERT traceback in DATAPATH due to sctp inspectionCSCva10054

On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash.CSCva15911

IPv6 OSPF routes do not update when a lower metric route is advertisedCSCva16471

ASA SM on 9300 reloads multi-context over SSH when config-url is enteredCSCva24924

ASA : PBR Mem leak as packet droppedCSCva26771

ASA treaceback at Thread Name: rtcli async executor processCSCva31378

ASA DATAPATH traceback (Cluster)CSCva35439

BGP Socket not open in ASA after reloadCSCva36202

Cisco ASA Input Validation File Injection VulnerabilityCSCva38556

ASA traceback in CLI thread while making MPF changesCSCva39094

Interfaces get deleted on SFR during cluster rejoiningCSCva39804

Crypto accelerator ring timeout causes packet dropsCSCva40844

Traceback in Thread Name: ssh when issuing show tls-proxy session detailCSCva46920

memory leak in sshCSCva49256

uauth is failed after failoverCSCva62861




























ASA drops ICMP request packets when ICMP inspection is disabledCSCva68987

OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDBCSCva69584

ASA stuck in boot loop due to FIPS Self-Test failureCSCva69799

ASA negotiates TLS1.2 when server in tls-proxyCSCva70095

ASA : Enabling IKEv1/IKEv2 opens RADIUS portsCSCva76568

ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 DaemonCSCva77852

IPV6 address not assigned when connecting via IPSEC protocolCSCva81749

ASA: CHILD_SA collision brings down IKEv2 SACSCva84635

ASA memory leak for CTS SGT mappingsCSCva85382

GTP traceback at gtpv1_process_msg for echo responseCSCva87077

OTP authentication is not working for clientless ssl vpnCSCva87160

AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth SessionsCSCva88796

ASA Traceback when issue 'show asp table classify domain permit'CSCva90806

ASA Traceback in CTM Message HandlerCSCva91420

Cisco ASA SNMP Remote Code Execution VulnerabilityCSCva92151

ASA Cluster DHCP Relay doesn't forward the server replies to the clientCSCva92813

Enqueue failures on DP-CP queue may stall inspected TCP connectionCSCva94702

Traceback in IKE_DBGCSCvb03994

H.323 inspection causes Traceback in Thread Name: CP ProcessingCSCvb05667

traceback in network udpmod_get after anyconnect test load applicationCSCvb05787

ASA : Botnet update fails with a lot of ErrorsCSCvb13690

wr mem/ wr standby is not syncing configs on standbyCSCvb13737

ASA DHCP Relay rewrites netmask and gw received as part of DHCP OfferCSCvb14997

ASA as DHCP relay drops DHCP 150 Inform messageCSCvb19251




























Buffer Overflow in ASA Leads to Remote Code ExecutionCSCvb19843

ASA Traceback in thread name CP Processing due to DCERPC inspectionCSCvb22435

ASA 9.1.7-9 crash in Thread Name: NIC status pollCSCvb22848

ASA 1550 block depletion with multi-context transparent firewallCSCvb27868

AAA authentication/authorization fails if only accessible via mgmt vrfCSCvb29411

Stale VPN Context entries cause ASA to stop encrypting traffic despite fix forCSCup37416

CSCvb29688

ASA may generate DATAPATH Traceback with policy-based routing enabledCSCvb30445

Traceback : ASA with Threadname: DATAPATH-0-1790CSCvb31833

WebVPN:VNC plugin:Java:Connection reset by peer: socket write errorCSCvb32297

Thread Name: snmp ASA5585-SSP-2 running 9.6.2 tracebackCSCvb36199

Lower NFS throughput rate on Cisco ASA platformCSCvb39147

ASA traceback with Thread Name aaa_shim_threadCSCvb45039

Evaluation of pix-asa for Openssl September 2016CSCvb48640

Traceback triggered by CoA on ASA when sending/receiving to/from ISECSCvb49273

ASA Traceback Thread Name: emweb/httpsCSCvb52988

AAA session handle leak with IKEv2 when denied due to time rangeCSCvb63503

ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3CSCvb63819

ASA fairly infrequently rewrites the dest MAC address of multicast packet for clientCSCvb64161

ASA traceback at Thread Name: IKE Daemon.CSCvb68766

ASA dropping traffic with TCP syslog configured in multicontext modeCSCvb74249

ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'CSCvd78303


There were no bugs fixed in 9.5(2.200).


























Resolved Bugs in Version 9.5(2)

If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher forVersion 9.5(2):

• 9.5(2) fixed bug search.

The following table lists resolved bugs at the time of this Release Note publication.

DescriptionIdentifier

ASA traceback in Thread Name: CP Crypto Result Processing.CSCuv94338

ASA: Traceback with Thread Name - AAACSCuu27334

Auth-prompt configured in one context appears in another contextCSCuu73395

ASA: LDAP over SSL Authentication failureCSCuv32615

Unable to authenticate with remove aaa-server from different contextCSCuv12884

ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)CSCuw00971

AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issueCSCut28210

Cisco ASA XAUTH Bypass VulnerabilityCSCus47259

ASA traceback in aaa_shim_thread / command author done for dACL installCSCut27332

ASA - access list address argument changed from host 0.0.0.0 to host ::CSCuu48626

ASA traceback: SSH Thread: many users logged in and dACLs being modifiedCSCuv92371

Memory leak @regcomp_unicorn with APCF configuredCSCuv12564

ASA - Traceback in Thread Name: fover_parseCSCus56590

ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress testCSCuw09578

ASA traceback in Thread Name: fover_parse (ak47/ramfs)CSCuv87150

ASA Traceback in vpnfol_thread_msgCSCut88287

Unicorn proxy thread traceback with RAMFS processingCSCuv87760

ASA - Traceback in thread name SSH while applying BGP show commandsCSCus32005



https://tools.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.5(2)&sb=fr&sts=fd&svr=3nH&srtBy=byRel&bt=custV

https://tools.cisco.com/bugsearch/bug/CSCuv94338

https://tools.cisco.com/bugsearch/bug/CSCuu27334




https://tools.cisco.com/bugsearch/bug/CSCuw00971

https://tools.cisco.com/bugsearch/bug/CSCut28210

https://tools.cisco.com/bugsearch/bug/CSCus47259










https://tools.cisco.com/bugsearch/bug/cscus32005


ASA Dataplane captures dont capture packets when using match/access-listCSCuu10284

9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chainCSCuu61573

ASA 9.2.1 - DATAPATH Traceback in L2 cluster environmentCSCur20322

ASA Cluster member traceback in DATAPATHCSCus97061

ASA cluster-Incorrect "current conns" counter in service-policyCSCuv39775

ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnelCSCuu28909

ASA: ICMP error loop on cluster CCL with Interface PATCSCuw36853

Clustering: Traceback in DATAPATH with transparent FWCSCut56198

ASA is not correctly handling errors on AES-GCM ICVCSCuu66218

ASA %ASA-3-201011: Connection limit exceeded when not hitting max limitCSCuu18989

ASA failover due to issue show local-host command make CPU-hogCSCuu75901

ASA traceback in DATAPATH Thread due to Double Block FreeCSCus92856

Interface TLV to SFR is corrupt when frame is longer than 2048 bytesCSCut40770

Request allow packets to pass when snort is down for ASA configurationsCSCuv91730

Traceback in Thread Name: DATAPATH on modifying "set connection" in MPFCSCuv58559

DHCP Server Process stuck if dhcpd auto_config already enabled from CLICSCuw66397

DHCP-DHCP Proxy thread traceback shortly after failover and reloadCSCuu84085

EIGRP configuration not being correctly replicated between failover ASAsCSCut44082

ASA - URL filter - traceback on thread name uauth_urlb cleanCSCuu77207

ASA traceback in Thread Name: CP ProcessingCSCut92194

Traceback on standby ASA during hitless upgradeCSCur07061

ASA: traceback in IDFW AD agentCSCuv01177

Active ftp-data is blocked by Firepower on Chivas Beta on 5512CSCze96017

ASA Traceback in cp_syslogCSCuu45858





https://tools.cisco.com/bugsearch/bug/CSCur20322


















https://tools.cisco.com/bugsearch/bug/cscur07061


https://tools.cisco.com/bugsearch/bug/CSCze96017



ASA: Silently Drops packets with SFR Module installed.CSCut86523

Traceback in Thread CP ProcessingCSCuu73716

ASA change non-default port to 443 for https traffic redirected to CWSCSCuu56912

ASA redirection to Scansafe tower fails with log id "775002" in syslogCSCut30741

Immediate FIN from client after GET breaks scansafe connectionCSCuu91304

ASA/ASASM drops SIP invite packets with From field containing "" and \CSCuq99821

Traceback in thread CP ProcessingCSCut48009

2048-byte block leak if DNS server replies with "No such name"CSCut45114

ASA: Traceback while copying file using SCP on ASACSCuu94945

DNS Traceback in channel_put()CSCuw41548

Active ASA in failover setup reboots on its ownCSCut28217

ASA 5506X: ESP Packet drop due to crypto accelerator ring timeoutCSCuu36639

ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limitCSCus08239

Cisco ASA VPN Memory Block Exhaustion VulnerabilityCSCuv70576

Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packetCSCuo08193

Cert Auth fails with 'max simultaneous-login restriction' errorCSCuu39636

ikev2 with DH 19 and above fails to pass traffic after phase2 rekeyCSCuu82229

ASA Traceback in PPPCSCut75983

Improper S2S IPSec Datapath Selection for Remote Overlapping NetworksCSCuw17930

Split-tunnel not working for EzVPN client on Kenton device (9.5.1)CSCuw22886

ASA: Anyconnect IPv6 Traceroute does not work as expectedCSCut95793

ASA dropping traffic with TCP syslog configured in multicontext modeCSCut01856

ASATraceback in ssh whilst adding new line to extended ACLCSCuv07106

ASA not generating PIM register packet for directly connected sourcesCSCuu63656








https://tools.cisco.com/bugsearch/bug/cscuq99821









https://tools.cisco.com/bugsearch/bug/CSCuo08193











ASA traceback when removing dynamic PAT statement from clusterCSCuw22130

Observed Traceback in SNMP while querying GET BULK for 'xlate count'CSCtz98516

asa Traceback with Thread Name idfw_procCSCuu45812

eglibc 2.18 is missing upstream fix #15073CSCuu39615

OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwardsCSCuv96011

ASA may tracebeck when displaying packet capture with trace optionCSCuv45756

ASA LDAP CRL query baseObject DN string is malformedCSCuv11566

ASA picks incorrect trustpoint to verify OCSP ResponseCSCuv66333

CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reachedCSCut67965

Anyconnect SSL VPN certificate authentication fails o ASACSCut15570

ASA CA certificate import fails with different types of Name ConstraintsCSCuu46569

ASA cert validation fails when suitable TP is above the resident CA certCSCus78450

ASA Name Constraints dirName improperly verifiedCSCuu45813

ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)CSCuv57389

RA validation failed when CA/subCA contains name constraintsCSCuv88785

5585 interface counters show 0 for working interfaces and console errorsCSCui20213

ASA CX - Data Plane marked as DOWN untill ASA reload.CSCuu04012

ASA5505 permanent base license, temp secplus, failover, vlan count issueCSCuv10258

ASA5585 9.5(1): Support Failover Lan on Management0/0 portCSCuw29566

Kenton 5516: Interface dropping ARPs after flapping under traffic loadCSCus62863

ASA 8.4 Memory leak due to duplicate entries in ASP tableCSCuq57307

ASA: Traceback in Thread Name Checkheaps due to webvpnCSCuw06294

'redistribute' cmds under 'router eigrp' removed on deleting any contextCSCuv10938

ASA does not set forward address or p-bit in OSPF redistrubution in NSSACSCuu53928




https://tools.cisco.com/bugsearch/bug/CSCtz98516














https://tools.cisco.com/bugsearch/bug/CSCui20213





https://tools.cisco.com/bugsearch/bug/CSCuq57307





ASA OSPF database not reflect changesCSCuu31751

CRL download functionality seems to be broken on ASACSCuv50968

Dynamic Route Not Installed After FailoverCSCuv42413

EIGRP authentication not working with simple paswordCSCut37974

RRI static routing changes not updated in routing tableCSCur09141

Standby ASA does not apply OSPF route after config replicationCSCut10078

Standby ASA inside IP not reachable after Anyconnect disconnectCSCuv50709

Standby traceback during config replication with customization exportCSCuv79552

ASAv licesing enforcement should not be CLI parser basedCSCuu06081

Unable to load ASDM to a Context in Multiple Context ModeCSCuw59388

CPU hog due to snmp polling of ASA memory pool informationCSCtx43501

snmpwalk causes slow memory leak on ASACSCuu04160

ASA Traceback in Thread Name ssh/clientCSCuu84697

ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:CSCus70693

ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA SigCSCut03981

Cut Through proxy not working correctly with TLS1.2CSCus27650

SSL : Unable to Join nodes in ClusterCSCuv51649

Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSLCSCuu02848

ASAv traceback in DATAPATH when used for WebVPNCSCuu87823

ASA SSLVPN RDP Plugin session freezes under heavy load with activexCSCuv27197

ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNSCSCuv92384

conn-max counter is not decreased accordinglyCSCuu86195

Per-session PAT RST sent to incorrect direction after closing sessionCSCut39985

ASA traceback because of TD tcp-intercept featureCSCut49111













https://tools.cisco.com/bugsearch/bug/CSCtx43501















ASA: Traceback in Thread Unicorn Admin Handler due to Threat DetectionCSCuw26991

Cluster destabilizes when contexts are removedCSCut36927

ASA: Watchdog Traceback with Thread Name:- SXP CORECSCuv43902

SXP Version Mismatch Between ASA & N7K with clusteringCSCur07369

ASAv Cannot remove/change default global_policy or inspection_defaultCSCuw86069

ASA: High CPU on standby due to RDP conn to AC client from CL SSL portalCSCut49034

Trace back with Thread Name: IP Address AssignCSCuw14334

ASA allows citrix ICA connection without authenticationCSCut12513

WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7CSCuq97035

ASA WebVPN clientless cookie authentication bypassCSCut71095

AddThis widget is not shown causing Traceback in Unicorn Proxy ThreadCSCuv30184

ASA WebVPN: Javascript fails to execute when accessing internal portalCSCuu32905

Clientless webvpn on ASA does not display asmx filesCSCuv05386

HTTP chunked data causing watchdogCSCuv69235

Need to prevent traceback in js_parser_print_restCSCuv05916

PCP 10.6 Clientless VPN Access is Denied when accessing PagesCSCuw87910

Traceback in WebVPN rewriterCSCuw44744

Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5CSCuu78835

WebVPN Rewriter: "parse" method returns curly brace instead of semicolonCSCus46895

Webvpn: JS parser may crash if the underlying connection is closedCSCuv86500


If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher forVersion 9.5(1.5):

• 9.5(1.5) fixed bug search.























https://tools.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.5(1.5)&sb=fr&sts=fd&svr=3nH&srtBy=byRel&bt=custV



WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7CSCuq97035

ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limitCSCus08239

ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA SigCSCut03981

ASA: High CPU on standby due to RDP conn to AC client from CL SSL portalCSCut49034

ASA: Anyconnect IPv6 Traceroute does not work as expectedCSCut95793

Auth-prompt configured in one context appears in another contextCSCuu73395

Traceback in Thread CP ProcessingCSCuu73716

ASA failover due to issue show local-host command make CPU-hogCSCuu75901

ASA - URL filter - traceback on thread name uauth_urlb cleanCSCuu77207


Clientless webvpn on ASA does not display asmx filesCSCuv05386

Need to prevent traceback in js_parser_print_restCSCuv05916

ASA: CLI commands not showing help(?) options for local authorizationCSCuv09538

ASA LDAP CRL query baseObject DN string is malformedCSCuv11566

Unable to authenticate with remove aaa-server from different contextCSCuv12884

ASA SSLVPN RDP Plugin session freezes under heavy load with activexCSCuv27197

ASA: LDAP over SSL Authentication failureCSCuv32615

ASA: Not able to remove ACE with "log default" keywordCSCuv35243

ASA cluster-Incorrect "current conns" counter in service-policyCSCuv39775

Dynamic Route Not Installed After FailoverCSCuv42413

ASA: Watchdog Traceback with Thread Name:- SXP CORECSCuv43902

ASA may tracebeck when displaying packet capture with trace optionCSCuv45756

ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)CSCuv57389

HTTP chunked data causing watchdogCSCuv69235




























Cisco ASA VPN Memory Block Exhaustion VulnerabilityCSCuv70576

Standby traceback during config replication with customization exportCSCuv79552

Webvpn: JS parser may crash if the underlying connection is closedCSCuv86500

ASA traceback in Thread Name: fover_parse (ak47/ramfs)CSCuv87150

Unicorn proxy thread traceback with RAMFS processingCSCuv87760

RA validation failed when CA/subCA contains name constraintsCSCuv88785

Request allow packets to pass when snort is down for ASA configurationsCSCuv91730

ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)CSCuw00971

ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress testCSCuw09578

traffic-forward interface command is not working on 5585CSCuw30700



Resolved Bugs in Version 9.5(1)

If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher forVersion 9.5(1):

• 9.5(1) fixed bug search.



AAA Authorization HTTP sends username in password field of authorizationCSCuu31281

ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessionsCSCus57241

Standalone AnyConnect fails to connect due to empty DAP user messageCSCuu73087

Add cli to control masked username in syslogCSCur17006

ASA : Password creation date is decrementing by one with every rebootCSCut96928

ASA: Traceback with Thread Name - AAACSCuu27334













https://tools.cisco.com/bugsearch/search?kw=*&pf=prdnm&pfval=279513386&rls=9.5(1)&sb=fr&sts=fd&svr=3nh&srtby=byrel&bt=custv








[ASA] CTP not working if proxyACL port_argument is gtCSCut22865

ASA tunnel-group"password-expire-in-days"not prompting a password changeCSCut54218

AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issueCSCut28210

ASA traceback in aaa_shim_thread / command author done for dACL installCSCut27332

ASA - access list address argument changed from host 0.0.0.0 to host ::CSCuu48626

ASA 9.0.3 not logging permitted UDP trafficCSCut92373

ASA : ACL logging is not getting disabled with keyword "log disable"CSCus83942

[ASA] access-list ACL_name standard permit host 0.0.0.0 deletedCSCut31315

Memory leak @regcomp_unicorn with APCF configuredCSCuv12564

Codenomicon HTTP-server suite may cause crashCSCur99653

ASA - Traceback in thread name SSH while applying BGP show commandsCSCus32005

bgp ipv6 neighborship fails with ASA after hard reset on routerCSCuv25327

ASA Dataplane captures dont capture packets when using match/access-listCSCuu10284

Drop reasons missing from asp-drop captureCSCuu13345

ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnelCSCuu28909

Clustering: Traceback in DATAPATH with transparent FWCSCut56198

RPC error in request config after replicated a large configurationCSCur56038

show cluster mem indicates incorrect valuesCSCut49711

Traceback in snp_cluster_get_bufferCSCut44075

ASA is not correctly handling errors on AES-GCM ICVCSCuu66218

Doubling counting flow bytes for decrypted packetsCSCuu88607

Cisco ASA DHCPv6 Relay Denial of Service VulnerabilityCSCus56252

Corrupted host name may occur with DHCPCSCut49724

DHCP-DHCP Proxy thread traceback shortly after failover and reloadCSCuu84085




























EIGRP configuration not being correctly replicated between failover ASAsCSCut44082

ASA traceback in Thread Name: CP ProcessingCSCut92194

ASA: failover logging messages appear in user contextCSCuu16983

Failover assembly remained in active-active state permanantlyCSCut11895

Traceback on standby ASA during hitless upgradeCSCur07061

ASA: XFRAME support for .JS and .JNLP URL'sCSCut06531

ASA: traceback in IDFW AD agentCSCuv01177

ASA Remote Access - Phase 1 terminated after xauthCSCuu54660

ASA SMTP inspection should not disable TLS by defaultCSCur68226

Handling esmtp default parameters for TLSCSCut05676

Active ftp-data is blocked by Firepower on Chivas Beta on 5512CSCze96017

ASA traceback: thread name "scansafe_poll"CSCuq69907

ASA/ASASM drops SIP invite packets with From field containing "" and \CSCuq99821

Traceback in thread CP ProcessingCSCut48009

USB device hot plug not supported in running ASACSCut83833

2048-byte block leak if DNS server replies with "No such name"CSCut45114

Cisco ASA DNS Denial of Service VulnerabilityCSCuu07799

DNS should perform IPv4 lookups if IPv6 address is not reachableCSCuu02761

EEM action not executed on absolute time when NTP is configuredCSCuv02304

ASA 5506X: ESP Packet drop due to crypto accelerator ring timeoutCSCuu36639

LU allocate connection failed on the Standby ASA unitCSCur51051

Cert Auth fails with 'max simultaneous-login restriction' errorCSCuu39636

ikev2 enable added to config when zones are used despite ERROR msgCSCuv07126

Ikev2 Session with bogus assigned IP address stays on ASACSCut80316













https://tools.cisco.com/bugsearch/bug/CSCze96017















IKEv2: IPSec SA's are created by dynamic crypto map for static peersCSCus85532

ASA Traceback in PPPCSCut75983

L2TP/IPSec Optimal MSS is not what it's supposed to beCSCut24490

L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"CSCut64327

Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect.CSCut69675

Duplicate IPv6 address is configurable in 1 ASA or contextCSCus98309

IPv6 local host route fail when setting link-local/Global simultaneouslyCSCuu41142

ASA dropping traffic with TCP syslog configured in multicontext modeCSCut01856

Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confgCSCuu67411

ASA inspection-MPF ACL changes not inserted into ASP table properlyCSCuu19489

ASATraceback in ssh whilst adding new line to extended ACLCSCuv07106

ASA not generating PIM register packet for directly connected sourcesCSCuu63656

Cisco ASA PIM Multicast Registration VulnerabilityCSCus74398

ASA generate pool exhausted for sip inspect with embedded IP but no portCSCus14147

Migration of max_conn/em_limit to MPF is completely wrong in 8.3CSCti05769

Misleading error msg for pat-pool with mapped objectCSCui37201

Observed Traceback in SNMP while querying GET BULK for 'xlate count'CSCtz98516

PBA: Generate syslogs for port block allocation related failuresCSCut71347

Two Dynamic PAT with and without block-allocationCSCuu33321

eglibc 2.18 is missing upstream fix #15073CSCuu39615

ASA crashes for the OSPFv2 packets from codenomiconCSCus84220

ASA:OSPF over L2L tunnels is not working with multiple cry map entriesCSCuv01022

Cisco ASA OSPFv2 Denial of Service VulnerabilityCSCut52679

Ampersand (&) not encoded in packet tracer phase 'extra' fieldCSCuu88548

















https://tools.cisco.com/bugsearch/bug/cscti05769

https://tools.cisco.com/bugsearch/bug/cscui37201

https://tools.cisco.com/bugsearch/bug/CSCtz98516









"no nameif" is removing the policy-route configurationCSCus19673

PBR: DF & DSCP bits are not getting set without valid set next-hopCSCus86487

Policy based routing is not working with twice NATCSCus78109

ASA - Traceback in thread name: CERT APICSCus63993

Cryptomaps lose trustpoint when syncing configuration from cluster unitCSCuu74823

ASA tunnel-group-map cannot contain spacesCSCuu81932

CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reachedCSCut67965

Anyconnect SSL VPN certificate authentication fails o ASACSCut15570

ASA CA certificate import fails with different types of Name ConstraintsCSCuu46569

ASA Name Constraints dirName improperly verifiedCSCuu45813

Incorrect cert chain sent to connecting IPSec clientsCSCut48571

PKI: potential pki session handle leak in IKEv2 L2L configurationsCSCut75202

5506-X: 'no buffer' interface counter reports incorrect errorsCSCus69021

Kenton 5516: Interface dropping ARPs after flapping under traffic loadCSCus62863

kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250CSCuu75675

Kernel command line is displayed while booting 9.5.1 ImageCSCuv72010

Traceback and reload triggered by failover configurationCSCuq27342

PPPoE session state timer does not initialize properlyCSCut23991

ASA 8.4 Memory leak due to duplicate entries in ASP tableCSCuq57307

ASA :Top 10 Users status is not getting enabled from ASDM.CSCut67315

ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQCSCuu08031

Secondary ASA stuck in config sync while upgrading to 8.4.xCSCut37042

Multiple problems with output of show processes memoryCSCuj68919

'redistribute' cmds under 'router eigrp' removed on deleting any contextCSCuv10938

























https://tools.cisco.com/bugsearch/bug/CSCuj68919



ASA Cluster: Default OSPF route gone on Master unitCSCus24519

ASA does not set forward address or p-bit in OSPF redistrubution in NSSACSCuu53928

ASA silently dropping OSPF LS Update messages from neighborsCSCut01395

ASA-3-317012 and "No route to host" errors even though the route existsCSCuu99349

ASA: ECMP stopped working after upgrade to 9.3.2CSCuu00733

Misleading route-map warning messageCSCus64394

RRI static routing changes not updated in routing tableCSCur09141

Standby ASA does not apply OSPF route after config replicationCSCut10078

xszASA 9.2.1 Eigrp Authentication does not work with 16 character keyCSCut26062

Remove demo and eval warning for sfr monitor-onlyCSCuu02635

ASAv cannot send SL messages after toggeling of "service call-home" cmdCSCus79307

ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbgCSCus79129

snmpwalk causes slow memory leak on ASACSCuu04160

"ssh scopy enable" deleted from configurationCSCuu07308

ASA not checking the MAC of the TLS recordsCSCuu52976

Cisco ASA Poodle TLS VariantCSCuu93339

Cut Through proxy not working correctly with TLS1.2CSCus27650

SSL connection failing to WebVPN portalCSCuu97304

SSL : Unable to Join nodes in ClusterCSCuv51649

Evaluation of OpenSSL June 2015CSCuu83280

MARCH 2015 OpenSSL VulnerabilitiesCSCut46019


JANUARY 2015 OpenSSL VulnerabilitiesCSCus42901

To-the-box UDP traffic not getting inspected and getting dropped on ASACSCut64846




























ASA teardown connection after receiving same direction finsCSCus11465

conn-max counter is not decreased accordinglyCSCuu86195

NFS connections not timing out after failoverCSCut04182

Per-session PAT RST sent to incorrect direction after closing sessionCSCut39985

ASA traceback because of TD tcp-intercept featureCSCut49111

Exception on asdm_handler stream line: </threat-detection>CSCus89139

ASAv requires a reboot for the license to take effect.CSCus54537

ASAv: RSA key pair needs to be automatically generated with 2048 bitsCSCuu09302

Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno)CSCuu07462

ASA Traceback in SSL library due to DMA memory exhaustionCSCus89286

ASA traceback in Thread Name: fover_parseCSCus53692

AnyConnect upgrade from AC 2.5 to AC 3.1 failsCSCus37840

Cisco ASA VPN XML Parser Denial of Service VulnerabilityCSCus95290

HTML/Java File Browser- created file or folder shows 9 months offsetCSCuc16662

ASA WebVPN clientless cookie authentication bypassCSCut71095

WebVpn: portal is not displayed after re-loginCSCuu48813

AddThis widget is not shown causing Traceback in Unicorn Proxy ThreadCSCuv30184

ASA WebVPN : jQuery based Calendar table fails to load; Empty frameCSCuu18564

ASA WebVPN: HTTP 302 Location URL rewritten incorrectlyCSCuu18527

ASA WebVPN: Javascript fails to execute when accessing internal portalCSCuu32905

Issue with downloading images from SharepointCSCut85049

rewriter returns 302 for a file downloadCSCuv38654

Src url of video track tag not mangled via webvpnCSCut35406

WebVPN: Tsweb fails to work through clientless portalCSCut58935
















https://tools.cisco.com/bugsearch/bug/CSCuc16662












WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft appCSCut39169

Mac version smart-tunnel uses SSLv3 which is a vulnerabilityCSCur42776

Windows 8 with new JRE, IE is not gaining access to smart tunnelCSCuq10239

End-User License AgreementFor information on the end-user license agreement, go to http://www.cisco.com/go/warranty.

Related DocumentationFor additional information on the ASA, see Navigating the Cisco ASA Series Documentation.


Release Notes for the Cisco ASA Series, 9.5(x)End-User License Agreement




http://www.cisco.com/go/warranty

http://www.cisco.com/go/asadocs


Release Notes for the Cisco ASA Series, 9.5(x)Related Documentation

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respectiveowners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

© 2017 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

Release Notes for the Cisco ASA Series, 9.5(x)

Documents

Transcript of Release Notes for the Cisco ASA Series, 9.5(x)