Table Of Contents
Cisco PIX Security Appliance Release Notes Version 7.2(2)
Contents
Introduction
System Requirements
Memory Requirements
Software Requirements
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Determining the Software Version
Upgrading to a New Software Version
New Features
HTTP(S) Authentication Challenge Flexible Configuration
Important Notes
virtual http Command
FIPS 140-2
User Upgrade Guide
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
Features not Supported in Version 7.2(2)
Downgrade to Previous Version
Caveats
Open Caveats - Version 7.2(2)
Resolved Caveats - Version 7.2(2)
Related Documentation
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Product Alerts and Field Notices
Obtaining Technical Assistance
Cisco Support Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Cisco PIX Security Appliance Release Notes Version 7.2(2)
November 2006
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•New Features
•Important Notes
•Caveats
•Related Documentation
•Obtaining Documentation
•Documentation Feedback
•Cisco Product Security Overview
•Product Alerts and Field Notices
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
Introduction
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(2).
The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.
For more information on all the new features, see New Features.
Additionally, the security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.
System Requirements
The sections that follow list the system requirements for operating a security appliance.
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(2).
Memory Requirements
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists Flash memory requirements for Version 7.2(2).
Table 1 Flash Memory Requirements
Security Appliance Model
|
Flash Memory Required in Version 7.2(2)
|
PIX 515/515E
|
16 MB
|
PIX 525
|
16 MB
|
PIX 535
|
16 MB
|
For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.
Software Requirements
Version 7.2(2) requires the following:
1. The minimum software version required before performing an upgrade to PIX Version 7.2(2) is PIX Version 7.0. If you are running a PIX version prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.
To upgrade your PIX software image, go to the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
2. For information on specific licenses supported on each model of the security appliance, go to the following website: www.cisco.com/go/license
3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See "http://www.cisco.com/pcgi-bin/tablebuild.pl/pix" for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.2(2). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.2(2). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.
While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as the write terminal and show running-config commands
•Failover (the configuration synchronization time)
•During a system reload
Cisco VPN Software Interoperability
Cisco VPN Series
|
Interoperability Comments
|
Cisco IOS routers
|
Version 7.2(2) requires Cisco IOS Release 12.3(T)T or higher running on the router when using IKE Mode Configuration on the security appliance.
|
Cisco VPN 3000 concentrators
|
Version 7.2(2) requires Cisco VPN 3000 concentrator Version 3.6 or higher for correct VPN interoperability.
|
Cisco VPN Client Interoperability
Cisco VPN Client
|
Interoperability Comments
|
Cisco VPN client v3.x/4x
(Unified VPN client framework)
|
Version 7.2(2) supports the Cisco VPN client Version 3.6 or higher that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or higher that runs on Linux, Solaris, and Macintosh platforms.
|
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Remote
|
Interoperability Comments
|
Cisco PIX Security Appliance Easy VPN remote v6.3
|
Version 7.2(2) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.
|
VPN 3000 Easy VPN remote v3.x/4x
|
Version 7.2(2) Cisco Easy VPN server requires the Version 3.6 or higher of the Easy VPN remote that runs on the VPN 3002 platform.
|
Cisco IOS Easy VPN remote Release 12.2(16.4)T
|
Version 7.2(2) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.
|
Determining the Software Version
Use the show version command to verify the software version installed on your security appliance. Alternatively, you can see the software version, on the Cisco ASDM home page.
Upgrading to a New Software Version
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
If you want to upgrade or downgrade from Version 7.1.(x) to 7.2(x) and vice versa You must follow the steps below because older versions of the security appliance images does not recognize new ASDM images, new security appliance images does not recognize old ASDM images.
You can also use command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.
To upgrade from Version 7.1.(x) to 7.2(x), you must perform the following steps:
Step 1 Load the new Version 7.2(x) image from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa
Step 2 Reload the device so that it will start using the Version 7.2(x) image.
Step 3 Copy new ASDM Version 5.2(x) image from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa
Step 4 Enter the following command, this will tell the security appliance where to find the ASDM image:
hostname(config)# asdm image flash:/ asdm file
To downgrade from Version 7.2(x) to 7.1.(x), you must perform the following steps:
Step 1 Load the earlier Version 7.1(x) image from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa
Step 2 Reload the device so that it will be use the Version 7.1(x) image.
Step 3 Copy the ASDM Version 5.1(x) image from the following website:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa
Step 4 Enter the following command, this will tell the security appliance where to find the ASDM image:
hostname(config)# asdm image flash:/ asdm file
New Features
This section lists the new feature for Version 7.2(2). All new features are supported in ASDM 5.2(2).
HTTP(S) Authentication Challenge Flexible Configuration
In Version 7.2(2), the security appliance authenticates HTTP network connections using basic HTTP authentication and authenticates HTTPS connections by generating similar custom login windows. This is the same exact behavior that was present in Version 7.1 and prior. You can use basic HTTP authentication if:
•You do not want the security appliance to open listening ports
•You use NAT on a router and you do not want to create a translation rule for the web page served by the security appliance
•Basic HTTP authentication might work better with your network. For example non-browser applications, like when a URL is embedded in email, might be more compatible with basic authentication.
The new aaa authentication listener command enables the security appliance to authenticate web pages and select the form based redirection approach that is currently used in Version 7.2(1). In the absence of this new command, Version 7.1 authentication method is used.
Note By default the the aaa authentication listener command is not present in the configuration, making Version 7.1 aaa behavior the default for 7.2(2). However, when a Version 7.2(1) configuration is upgraded to Version 7.2(2), the appropriate aaa authentication listener commands are added to the configuration so that the aaa behavior will not be changed by the upgrade.
In Versions 7.1 and prior, the security appliance authenticated HTTP and HTTPS network connections by interacting with the client in a transparent manner, by using basic authentication for HTTP connections and by generating similar custom login windows for HTTPS connections. After successfully authenticating the client, the security appliance would connect through to the intended server. This approach did not require listening ports to be opened on the security appliance interfaces.
In Version 7.2(1), this functionality was replaced by a form based authentication approach where HTTP and HTTPS connections are redirected to authentication pages that are served from the security appliance. After successful authentication, the browser is again redirected to the originally-intended URL. This was done to provide:
•More graceful support authentication challenge processing
•An identical authentication experience for http and https users
•A persistent logon/logoff URL for network users This approach does require listening ports to be opened on the security appliance on each interface on which aaa authentication was enabled.
Important Notes
This section lists important notes related to Version 7.2(2).
virtual http Command
The virtual http command has been restored. This is needed with basic authentication when you have cascading authentication requests.
FIPS 140-2
Version 7.2(2) has been submitted for FIPS 140-2 Level 2 validation.
User Upgrade Guide
Before upgrading to Version 7.2(2), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/index.htm
Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(2) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(2) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The security appliance Outbound and Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and optimize the ACL feature set. ACL-based configurations provide the following benefits:
•ACE insertion capability— Provides simplified system configuration and management, which allows you to add, delete or modify individual ACEs.
•Outbound ACLs and time-based ACLs— Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.
•Enabling and Disabling of ACL entries — Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.
Features not Supported in Version 7.2(2)
The PPTP feature is not supported in Version 7.2(2).
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.
For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the
downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.
Caveats
The following sections describe the caveats for the Version 7.2(2).
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Version 7.2(2)
Table 2 Open Caveats
DDTS Number
|
Software Version 7.2(2)
|
| |
| |
Corrected
|
Caveat
|
CSCsd50888
|
No
|
L2TP: connections fail intermittently -> error 678: There was no answer
|
CSCse88291
|
No
|
ASA crashes with WEBVPN user login when memory is running low.
|
CSCse92565
|
No
|
Traceback in Thread Name: tmatch compile thread after clear config all
|
CSCsf04123
|
No
|
Packet drops through VPN due to No route to VPN_peer_ip_address
|
CSCsf05298
|
No
|
Citrix not supported with CSC module
|
CSCsf13404
|
No
|
PIX cosmetic high memory use in context show memory
|
CSCsf25418
|
No
|
Traceback in Thread Name: tmatch compile after assert
|
CSCsf27202
|
No
|
AAA Radius NAS-Port-Type not sent in authentication request
|
CSCsg03102
|
No
|
Minor correction to vpn-addr-assign command reference documentation
|
CSCsg20953
|
No
|
WebVPN sessions created in the Secure Desktop don't expire
|
CSCsg26668
|
No
|
Undefined CSCO functions in JavaScript-generated HTML
|
CSCsg34853
|
No
|
Traceback with Thread Name: Dispatch Unit
|
CSCsg38186
|
No
|
Traceback in Thread Name: Dispatch Unit
|
CSCsg43591
|
No
|
SCP connection to PIX fails
|
CSCsg46962
|
No
|
WebVPN some functions do not work in javascript
|
CSCsg47023
|
No
|
L2TP Connections with Certificates to ASA Fail to Connect
|
CSCsg47241
|
No
|
Traceback when parsing LDAP config
|
CSCsg48442
|
No
|
Ping through ASA fails when using interface PAT on PPPoE interface
|
CSCsg53120
|
No
|
ASA WebVPN Time-out on Database Requests
|
CSCsg56876
|
No
|
ASA may crash after applying http or IM deep inspection
|
CSCsg60095
|
No
|
VPN traffic permitted by vpn-filter is denied
|
CSCsg61719
|
No
|
SNMP: Coldstart Trap is not sent
|
CSCsg62488
|
No
|
Traceback in Thread Name: Unicorn Proxy Thread
|
CSCsg62878
|
No
|
ocsp signer crl checking with crl none is not falling back to none
|
CSCsg63145
|
No
|
Traceback with Thread Name: PIX Garbage Collector
|
CSCsg64427
|
No
|
Compression: Can't turn off http-comp
|
CSCsg64450
|
No
|
FO: http auth message should be supressed on standby console
|
CSCsg64948
|
No
|
1550 blocks exhausted during radius authentication stress test
|
CSCsg65434
|
No
|
Multiple ipsec peers : PIX/ASA stops processing the IPSEC peers list
|
CSCsg66126
|
No
|
Large H.323 Registrations Fail through PIX
|
CSCsg67443
|
No
|
ASA Fails Recursive Route Lookup
|
CSCsg67961
|
No
|
L2TP: IKE rekeying prior to IPSec rekey terminates MAC L2TP
|
CSCsg68141
|
No
|
Show run router causes traceback in thread name: ci/console
|
CSCsg69275
|
No
|
1017-88 byte blocks leaked: _tmatch_summary_func+2877 after vpn sys test
|
CSCsg69281
|
No
|
3000 - 576 byte blocks leaked: _kernel_delete_sa+39 after vpn sys stress
|
CSCsg69408
|
No
|
Need warning when using time based ACLs with policy NAT/PAT
|
CSCsg69448
|
No
|
Need to update 7.x conf guides, time based ACLs not supported w/nat-pat
|
CSCsg69469
|
No
|
Incorrect user privileges when logging in with ASDM 5.2.1.54
|
CSCsg69998
|
No
|
tcp intercept not working when the inside host is running windows OS.
|
CSCsg70012
|
No
|
no sysopt noproxyarp c1in failed to remove noproxyarp for interface c1in
|
CSCsg70698
|
No
|
Session timer is not reset during WebVPN ActiveX and Java tunneling
|
CSCsg71369
|
No
|
P1 SA stuck in AM_FREE on secondary for ipsec sessions using net ext mod
|
CSCsg71416
|
No
|
encrypt rules added in wrong order - NEM misconfig causes data issues
|
CSCsg71534
|
No
|
40 P1 sa's got stuck in MM_Wait_Delete on secondary w/vpn system test
|
CSCsg71579
|
No
|
Programming assertion malloc.c:3822 on secondary after failover from pri
|
CSCsg73076
|
No
|
L2TP/IPSEC to ASA with certificates fails over low speed ISDN
|
CSCsg73376
|
No
|
Traceback in Thread Name: ci/console with large config tftp download
|
CSCsg75094
|
No
|
LDAP: ASA caanot authenticate to Active Directory using MD5
|
CSCsg75996
|
No
|
Radius authentication with downloadable acls causes crash
|
CSCsg76777
|
No
|
7.2 transparent / change of behavior : ASA does not retain the src mac
|
CSCsg77097
|
No
|
WebVPN OWA 2003 email.cisco.com inbox fails to load intermittent
|
CSCsg77099
|
No
|
WebVPN Java archives with uncompressed entries fail through rewriter
|
CSCsg77390
|
No
|
AAA: port-to-port static for port 80 and aaa http listener on same ifc
|
CSCsg77841
|
No
|
Cfg Guide: remove flash size match from failover hw criteria
|
CSCsg78524
|
No
|
With WebVPN login we type it once incorrectly and the ASA tries 3 times
|
CSCsd50888
|
No
|
L2TP: connections fail intermittently -> error 678: There was no answer
|
CSCse88291
|
No
|
ASA crashes with WEBVPN user login when memory is running low.
|
CSCse92565
|
No
|
Traceback in Thread Name: tmatch compile thread after clear config all
|
Resolved Caveats - Version 7.2(2)
Table 3 Resolved Caveats
DDTS Number
|
Software Version 7.2(2)
|
| |
| |
Corrected
|
Caveat
|
CSCei33965
|
Yes
|
MPC embryonic timoeout value overwrite global conn timeout
|
CSCek62768
|
Yes
|
crash in Unicorn Proxy Thread with large WebVPN session count in build30
|
CSCsb54431
|
Yes
|
clear in unpriviledged mode should be removed if not applicable.
|
CSCsb63230
|
Yes
|
Need a command to perform SSM password recovery from the ASA CLI
|
CSCsc01694
|
Yes
|
CRC errors on SSM-4GE Electrical ports on initial bringup
|
CSCsc37965
|
Yes
|
IP-directed broadcasts no longer allowed through device.
|
CSCsc89262
|
Yes
|
Syslog 722007 (WEBVPN_SVC_MSG_EMERG) severity needs to be changed
|
CSCsd13314
|
Yes
|
'show service policy flow' command shows incorrect flow match
|
CSCsd40989
|
Yes
|
L2TP: Populate client type/version within session database
|
CSCsd45605
|
Yes
|
2 routes to same n/w w same metric different ifx should not be allowed
|
CSCsd52578
|
Yes
|
Traceback in thread: snp_timer_thread
|
CSCsd54495
|
Yes
|
Traceback eip _strdup(0xebacac)+0x78 with large customer configuration
|
CSCsd57264
|
Yes
|
MPF: type syntax in help policy-map is missing a ]
|
CSCsd58688
|
Yes
|
SVC connections are not exempt from aaa authentication rules like IPSec
|
CSCsd59295
|
Yes
|
WCCP static bypass not working with vlan interfaces
|
CSCsd59936
|
Yes
|
Registering to the RP for PIM fails if fragmented in more then 12 packs
|
CSCsd60448
|
Yes
|
Proxy-bypass with automatic choice of target server
|
CSCsd64749
|
Yes
|
Failover: automatic removal of SSL trustpoint not replicated to stdby
|
CSCsd67093
|
Yes
|
PPPoE:Vpdn group for PPPoE shouldn't be configurable in Transparent mode
|
CSCsd67160
|
Yes
|
PPPoE:ip address pppoe cmd shouldn't be configurable in multi mode
|
CSCsd70581
|
Yes
|
Crash output to console has incomplete configuration
|
CSCsd71387
|
Yes
|
EzVPN: Tback IKE Daemon (Old pc 0x00507425 ebp 0x0333c6d8)
|
CSCsd74328
|
Yes
|
Traceback when changing sec level on an ifc and failover cfg with NAT
|
CSCsd74551
|
Yes
|
Add NP drop reason documentation for WCCP drops
|
CSCsd81262
|
Yes
|
CA cert with spaces could fail to install
|
CSCsd81294
|
Yes
|
'crypto ca import' of SSL cert may traceback in Thread Name: accept/http
|
CSCsd82307
|
Yes
|
FO: CLI position can get out of sync causing cmd replication failures
|
CSCsd82575
|
Yes
|
unexpected IGMP joins sent when configuring multicast routing
|
CSCsd84011
|
Yes
|
REGEX: ^ (match from beginning of text) does not work in some cases
|
CSCsd88471
|
Yes
|
VPNLB SVC uses virtual cluster certificate after redirecting to a master
|
CSCsd91587
|
Yes
|
functioning email proxy session generates syslog message error
|
CSCsd93380
|
Yes
|
Packets for VPN-l2l peer get dropped instead of encrypted
|
CSCsd94372
|
Yes
|
dhcp proxy: no RELEASE sent after failover and disconnect of vpn client
|
CSCse00996
|
Yes
|
tcp normalizer drop to-the-box traffic not conforming to RFC793 (MSS)
|
CSCse01293
|
Yes
|
Traceback in Thread Name: arp_forward_thread
|
CSCse02354
|
Yes
|
Traceback in Thread Name: Dispatch Unit
|
CSCse03176
|
Yes
|
Problem of group-name used in 'sasl-mechanism kerberos group-name'
|
CSCse05819
|
Yes
|
PIX: 33MHz GIG cards show speed/duplex unknown if nonegotiate configured
|
CSCse07242
|
Yes
|
Traceback in pix_flash_config_thread
|
CSCse08726
|
Yes
|
LDAP group-based policy Enforcement shouldn't require Cisco schema
|
CSCse08746
|
Yes
|
ASA send Radius attribute 31 source IP address as 0.0.0.0
|
CSCse09458
|
Yes
|
RadiusSDI feature of VPN Client fails with blank XAUTH text
|
CSCse09503
|
Yes
|
Syslog 304001 not generated when strict-http action allow log configured
|
CSCse10096
|
Yes
|
i2c_write_byte_w_suspend() error after rebooting ASA5505
|
CSCse10714
|
Yes
|
Shun behavior change in 7.x
|
CSCse12021
|
Yes
|
Error msg change when attempt auth-srvr-group None in ipsec tunn-grp
|
CSCse13544
|
Yes
|
Increase in memory usage after enabling-disabling webvpn
|
CSCse14296
|
Yes
|
Trustpoint not found if ASA not enrolled with the trustpoint
|
CSCse15854
|
Yes
|
clear config webvpn only partially clean-up proxy-bypass...
|
CSCse15977
|
Yes
|
Traceback when two admin sessions are working on the same capture
|
CSCse17176
|
Yes
|
SUA policy is unspecified -WEB login requires user to authenticate twice
|
CSCse17638
|
Yes
|
IM: Misc CLI issues
|
CSCse17660
|
Yes
|
Incorrect LDAP debug error when incorrect RDN configured
|
CSCse18005
|
Yes
|
PIX/ASA originate-only VPN fails to create dynamic ACL
|
CSCse19020
|
Yes
|
PPTP Pass-through not working due to inspection
|
CSCse20501
|
Yes
|
Passive FTP to Multinet server fails
|
CSCse20538
|
Yes
|
IKE Syslogs 713041 713042 should specify interface name
|
CSCse21451
|
Yes
|
Memory leak in VPN fover module during failover config syncing
|
CSCse22330
|
Yes
|
Traceback in Thread Name: Dispatch Unit
|
CSCse22332
|
Yes
|
Failed to deploy config when first line in config contain ! character
|
CSCse22659
|
Yes
|
CIFS server names limited to 15 characters
|
CSCse22668
|
Yes
|
CIFS should use DNS lookups for long server names
|
CSCse23164
|
Yes
|
traceback in thread Name: qos_metric_daemon
|
CSCse23165
|
Yes
|
Message sent to client when aaa authorization fails has changed
|
CSCse23554
|
Yes
|
Memory leak within event_smtpmgr:es_SmtpSndMSG function
|
CSCse23751
|
Yes
|
Nested tracebacks may not stop without manual device reload
|
CSCse24432
|
Yes
|
DHCPRelay: Some clients may not get NACKs
|
CSCse24537
|
Yes
|
RIP: [no] access-list defined in distribute-list should display err msg
|
CSCse24921
|
Yes
|
debug icmp does not show request packet being sent
|
CSCse25515
|
Yes
|
FO: dhcpd warnings seen on standby during replication of config
|
CSCse26317
|
Yes
|
inspect radius-acct: show user with IP cuasing err msg w/ multiple pmaps
|
CSCse26469
|
Yes
|
Cannot store more than one vpdn username/password pairs locally
|
CSCse27184
|
Yes
|
basic attribute is not checked in all mode config attributes, may reload
|
CSCse27249
|
Yes
|
FO: interface monitoring not working on most recent created interface
|
CSCse27787
|
Yes
|
AIC SIP: SIP messages might fail state-check knob when record-route on
|
CSCse28430
|
Yes
|
MS AD-LDAP: set default RDN-Naming Attribute to be sAMAccountName
|
CSCse28540
|
Yes
|
LDAP admin bind: support secure SASL-MD5 and SASL-Kerberos methods
|
CSCse29700
|
Yes
|
WebVPN and SVC Sessions being disconnected due to Idle Timeouts 40+Days.
|
CSCse29840
|
Yes
|
AdmissionConfirm received without an AdmissionRequest, ACF dropped
|
CSCse30049
|
Yes
|
SSH conns to the box not removed after a Failover
|
CSCse30061
|
Yes
|
VPN decompress error when decrypting packet with IP compression
|
CSCse30102
|
Yes
|
VPN dynamic ACL can be deleted from the CLI
|
CSCse30616
|
Yes
|
ASA VPN load balancing cannot ping cluster ip address
|
CSCse32309
|
Yes
|
Timeout of secondary flow causes traceback in Thread Name: Checkheaps
|
CSCse33143
|
Yes
|
Dynamic ACL created under with command access-list <name> d ...
|
CSCse33211
|
Yes
|
aaa http authentication doesnt work when interface IP is named
|
CSCse33736
|
Yes
|
DoD Certs:Subject Alternative Name support for VPN Author for IPSec RA
|
CSCse33851
|
Yes
|
H.225 releasecomplete message was dropped by the firewall
|
CSCse33986
|
Yes
|
Small memory leak when tunnel denied due to unavailable Integrity Server
|
CSCse34179
|
Yes
|
MFW-R: traceback in 'clear cfg all' during a performance test.
|
CSCse34477
|
Yes
|
ESMTP: mail-relay param w/o any action accepted, junk chars in sho run
|
CSCse34508
|
Yes
|
ESMTP: help mail-relay display needs changes
|
CSCse34540
|
Yes
|
telnet and http(asdm) conns are not removed after failover
|
CSCse35370
|
Yes
|
AIC SIP: should not allow overwrite inspect sip <pmap> @ default class
|
CSCse35566
|
Yes
|
Traceback with 'Thread Name: Dispatch Unit' on clear xlate
|
CSCse35610
|
Yes
|
traceback in ci/console after editing group-p CLI sitting at more prompt
|
CSCse35636
|
Yes
|
RTP Conformance print SSRC re-initializing message for bad SSRC Packet
|
CSCse36112
|
Yes
|
PIX/ASA never processes huge access-list if it runs short of memory
|
CSCse36519
|
Yes
|
IM: MSN code improvement to reduce the risk of false positives
|
CSCse36691
|
Yes
|
Traceback on 'cl conf all' with delay-free-poisoner enabled
|
CSCse37315
|
Yes
|
AIC DNS - Traceback after removing certain MPF actions with DNS traffic
|
CSCse37733
|
Yes
|
ASA Crash with nat ID as 0
|
CSCse37787
|
Yes
|
Traceback after becoming Active with VPN connections
|
CSCse38062
|
Yes
|
ICA Client users cannot connect to Citrix through WebVPN
|
CSCse38087
|
Yes
|
Kerberos authentication fails after during stress test in multiple-mode
|
CSCse38659
|
Yes
|
unexpected IGMP rejoins when joins previously cfg'd and mcast re-enabled
|
CSCse39344
|
Yes
|
AD UserAccountControl attrib not enforced if using LDAP Authorization
|
CSCse40332
|
Yes
|
ASA multiple mode rollback of config failed for admin and other VC
|
CSCse40671
|
Yes
|
RTSP w/PAT, PIX set client_ports to NULL
|
CSCse40704
|
Yes
|
Lock IMB boot code
|
CSCse41071
|
Yes
|
ldap-login-password not hidden in config
|
CSCse41663
|
Yes
|
WebVPN using SDI Auth - New PIN mode does not work - IPSec OK
|
CSCse42014
|
Yes
|
Java applets archive mangling fails when the codebase is a full url
|
CSCse42332
|
Yes
|
ASA5505: PORT up/down stat is not reflected in show stat + more
|
CSCse42413
|
Yes
|
Traceback after WebVPN authentication with FreeRadius
|
CSCse43078
|
Yes
|
WebVPN: links at www.microsoft.com <outbind://111/www.microsoft.com> fail to work
|
CSCse43152
|
Yes
|
WebVPN/SVC Radius Passwd-Mngt fails when using domain\username format
|
CSCse43611
|
Yes
|
Flash: Wr mem running-config to flash has some issues
|
CSCse43807
|
Yes
|
webvpn url entry with embedded user:Passwd fails with URl is invalid
|
CSCse44138
|
Yes
|
WebVPN Citrix ICA connection losing connectivity due to client_tx_q_full
|
CSCse44258
|
Yes
|
Modifying vpn-filter acl blocks normal traffic from inside to outside
|
CSCse45308
|
Yes
|
Static nailed rule does not match conn destined for that address
|
CSCse45327
|
Yes
|
VPN stateful failover gets out of sync
|
CSCse45694
|
Yes
|
Standby: Traceback in Thread Name: IKE Daemon with dACL
|
CSCse45948
|
Yes
|
write memory all did not report failure for failing to save config
|
CSCse45971
|
Yes
|
Calling-Station-ID passed to radius as 0.0.0.0 for webvpn with pw mgmt
|
CSCse46220
|
Yes
|
ASA: Poor Performance and Out-of-Order packets with SSM module enabled
|
CSCse46292
|
Yes
|
Traceback in Thread Name: snmp
|
CSCse46874
|
Yes
|
Enhancement: per-interface authorization for IPSec connections
|
CSCse47150
|
Yes
|
Traceback in Thread Name: Dispatch Unit with ESMTP Inspect enabled
|
CSCse47328
|
Yes
|
Fix RM flow drop reason #defines
|
CSCse47400
|
Yes
|
WebVPN: Unable to Authenticate using DoD Certificate
|
CSCse48146
|
Yes
|
AIC SIP: fails to match request method <unknown> in inspect SIP pmap
|
CSCse48193
|
Yes
|
ASA vulnerable to cross-site scripting when using WebVPN
|
CSCse49450
|
Yes
|
AAA - dACL and Cisco-AV-Pair ACLs are only applied to the 1st SVC user
|
CSCse49851
|
Yes
|
7.2 5510 security plus license should support only 2 contexts by default
|
CSCse50716
|
Yes
|
URL Filtering: Traceback with Thread Name: Dispatch Unit
|
CSCse50772
|
Yes
|
L2TP/IPSec: MS-Clients unable to connect when ASA is behind a NAT device
|
CSCse50782
|
Yes
|
DNS-based LDAP Authentication/Authorization fails
|
CSCse50804
|
Yes
|
OSPF stuck in EXCHANGE in certain assymetric routing scenarios
|
CSCse52050
|
Yes
|
Very large ACL applied to NAT or Crypto may traceback in Checkheaps
|
CSCse53294
|
Yes
|
Configuration begin syslog 111007 shows wrong local ip address with ssh
|
CSCse53987
|
Yes
|
'vPif_getVpif: bad vPifNum' errors with cut-through proxy enabled
|
CSCse54543
|
Yes
|
ASA cosmetic high memory use in context show memory
|
CSCse54582
|
Yes
|
AAA: Traceback in Thread Name: Dispatch Unit with Radius auth
|
CSCse54749
|
Yes
|
210007 LU allocate xlate failed syslog generated by overlapping nat cfg
|
CSCse55066
|
Yes
|
VPN: orignate-only VPN fails after failover
|
CSCse55931
|
Yes
|
1550 byte block depletion prohibits websense communication
|
CSCse57386
|
Yes
|
5505: EZVPN Remote: DPD timeout is 5 minutes,should be 90 sec
|
CSCse57889
|
Yes
|
Execute certain fover cmds trigger interface testing
|
CSCse58602
|
Yes
|
SVC fails to establish if Cisco-AV-Pair contain both ip and webvpn ACEs
|
CSCse59113
|
Yes
|
5510 base license should not limit 4ge card
|
CSCse59498
|
Yes
|
WebVPN: Citrix traffic may cause Traceback in Thread Name: Dispatch Unit
|
CSCse59955
|
Yes
|
Rommon in ASA5505 main card would reset ASA-SSC-10 card.
|
CSCse61225
|
Yes
|
Support daylight savings changes in Energy Policy Act of 2005
|
CSCse61315
|
Yes
|
SSMIO-4GE SFP interfaces G1/1 - G1/3 don't operate
|
CSCse61696
|
Yes
|
HTTP server enable doesn't take Port number change in Multiple-router mo
|
CSCse62603
|
Yes
|
alias command does not work
|
CSCse62914
|
Yes
|
Standby device Traceback in Thread Name: tcp_thread
|
CSCse63079
|
Yes
|
cpu hog in ssh_init process when connecting via SSH
|
CSCse63596
|
Yes
|
inspect RSH fails when 1st segment contains more than just port
|
CSCse65000
|
Yes
|
WebVPN: Cisco Call Manager is failing thru rewriter
|
CSCse66007
|
Yes
|
AAA commands not working for serial console in multi context mode
|
CSCse66133
|
Yes
|
Traceback in Thread Name: ssh when ACLs are displayed in SSH or ASDM
|
CSCse66235
|
Yes
|
Memory exhausts with logging flash-bufferwrap and high syslog level
|
CSCse66442
|
Yes
|
cut-thru proxy: 'Authentication not required' returned on browse to pix
|
CSCse66490
|
Yes
|
Traceback with 'Thread Name: accept/http' after editing time-based ACLs
|
CSCse67584
|
Yes
|
ldap attr map CLI renders console/session unusable in multi mode
|
CSCse67916
|
Yes
|
Potential memory leakages in webvpn_ica_socks.c with ASA internal errors
|
CSCse68781
|
Yes
|
Traceback in Thread Name: emweb/https when starting to load WebVPN
|
CSCse70163
|
Yes
|
5505/SSC I2C lock up in Rommon.
|
CSCse70181
|
Yes
|
WebVPN: Traceback when using 'debug webvpn citrix 10'
|
CSCse70993
|
Yes
|
Traceback when applying large ACL to NAT or Crypto Map
|
CSCse71146
|
Yes
|
IPSec RA clients with large dACL may cause Traceback in Thread Name:aaa
|
CSCse73812
|
Yes
|
Traceback in Thread Name: Dispatch Unit when L2L VPN Initiator
|
CSCse74097
|
Yes
|
Mac-exempt: mac spoofing does not generate the expected syslog
|
CSCse74391
|
Yes
|
WebVPN not using custom text color for some dialogs
|
CSCse74778
|
Yes
|
Traceback in Thread Name: IP Thread with PPPoE enabled
|
CSCse74838
|
Yes
|
WebVPN: DSF Referral messages missing on distributed Servers over WebVPN
|
CSCse75485
|
Yes
|
Traceback in Thread Name: fover_parse during config sync
|
CSCse75523
|
Yes
|
Received ARP request collision when issuing write standby
|
CSCse76085
|
Yes
|
WebVPN: OWA: file download with size>100KB stops
|
CSCse76095
|
Yes
|
Traceback in Thread Name: Checkheaps when starting WebVPN
|
CSCse76115
|
Yes
|
Cascade delimiter not inserted with correct priority for dynamic crypto.
|
CSCse76150
|
Yes
|
No TACACS+ authorization request sent for show run command
|
CSCse76171
|
Yes
|
ASA reverse bytes order of DHCP scope when using SVC
|
CSCse76480
|
Yes
|
4 byte block allocation lacks the padding
|
CSCse77122
|
Yes
|
FTP-data connection not replicated back to primary after failover
|
CSCse77261
|
Yes
|
Traceback in Thread Name: MFIB with pim mcast routing
|
CSCse77680
|
Yes
|
P2 in progress test broken - could cause unexpected rekey.
|
CSCse77855
|
Yes
|
buffer leak upon IPSEC spoofing.
|
CSCse77943
|
Yes
|
Failover: Primary takes over as Active after reload
|
CSCse78065
|
Yes
|
# sign in config not replicated to Standby unit
|
CSCse78228
|
Yes
|
7.2.1 Crash in snp_tcp_ha_flow_belongs_to_active_context
|
CSCse78299
|
Yes
|
Primary/Secondary units become Active state when failover link failed
|
CSCse78755
|
Yes
|
Traceback in Thread Name: Dispatch Unit when starting DPD timer for SVC
|
CSCse78779
|
Yes
|
Standby become active after fo link failed with fover hold time > 15 sec
|
CSCse79422
|
Yes
|
RA VPN Phase 2 fails when local pool with classless mask is used
|
CSCse80001
|
Yes
|
Traceback in IKE daemon while trying to post event (syslog)
|
CSCse80897
|
Yes
|
AAA: User-Password and EAP-Proxy should not be in same RADIUS request
|
CSCse81073
|
Yes
|
WebVPN: Traceback with Thread Name: emweb/https
|
CSCse81232
|
Yes
|
Failover pair loses failover state configuration after upgrade to 7.2.1
|
CSCse81273
|
Yes
|
Traceback 'Thread Name: Dispatch Unit' with PPPOE and SSM-CSC
|
CSCse81330
|
Yes
|
Strict HTTP inspection ignores '304 Not Modified' -syslog message 415014
|
CSCse81633
|
Yes
|
ASA 4GE-SSM Gig ports silently drop IGMP joins
|
CSCse81656
|
Yes
|
LDAP CLI is not displaying quotes when parameters contain spaces
|
CSCse82262
|
Yes
|
No specific error message while uploading a file via HTTPS
|
CSCse82743
|
Yes
|
Java applet fails to load |
