Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 7.2(3)

Downloads

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 7.2(3)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Version

Supported Platforms and Feature Licenses

New Features

capture Command Enhancement

Support for ESMTP over TLS

DHCP Client

WAAS and PIX Interoperability

ASDM Banner Enhancement

Important Notes

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported

Downgrade to Previous Version

Caveats

Open Caveats - Version 7.2(3)

Resolved Caveats - Version 7.2(3)

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco PIX Security Appliance Release Notes Version 7.2(3)

August 2007

Contents

This document includes the following sections:

Introduction

System Requirements

Supported Platforms and Feature Licenses

New Features

Important Notes

Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(3).

The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.

For more information on all of the new features, see New Features.

Additionally, the security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.

System Requirements

The sections that follow list the system requirements for operating a security appliance.

Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(3).

Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists flash memory requirements for Version 7.2(3).

Table 1 Flash Memory Requirements 

Security Appliance Model
Flash Memory Required in Version 7.2(3)

PIX 515/515E

16 MB

PIX 525

16 MB

PIX 535

16 MB


For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Software Requirements

Version 7.2(3) requires the following:

1. The minimum software version required before performing an upgrade to PIX Version 7.2(3) is PIX Version 7.0. If you are running a PIX version prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.

To upgrade your PIX software image, go to the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

2. For information on specific licenses supported on each model of the security appliance, go to the following website: www.cisco.com/go/license

3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See "http://www.cisco.com/pcgi-bin/tablebuild.pl/pix" for new installation requirements.

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.2(3). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.2(3). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 7.2(3) requires Cisco IOS Release 12.3(T)T or later running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 7.2(3) requires Cisco VPN 3000 concentrator Version 3.6 or later for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 7.2(3) supports the Cisco VPN client Version 3.6 or later that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or later that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN remote v6.3

Version 7.2(3) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote v3.x/4x

Version 7.2(3) Cisco Easy VPN server requires the Version 3.6 or later of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 7.2(3) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance. Alternatively, you can see the software version, on the Cisco ASDM home page.

Upgrading to a New Software Version

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Note PIX and ASDM images must be compatible for example PIX Version 7.2(3) is compatible to ASDM Version 5.2(3). ASDM will not work with an incompatible platform version. You will get an error message and ASDM will close.

You can also use the command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.

To upgrade from Version 7.1.(x) to 7.2(3), you must perform the following steps:

Step 1 Load the new Version 7.2(3) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Reload the device so that it will start using the Version 7.2(3) image.

Step 3 Copy new ASDM Version 5.2(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/ asdm file

To downgrade from Version 7.2(3) to 7.1.(x), you must perform the following steps:

Step 1 Load the earlier Version 7.1(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Reload the device so that it will be use the Version 7.1(x) image.

Step 3 Copy the ASDM Version 5.1(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/ asdm file

Supported Platforms and Feature Licenses

This software version supports the following platforms; see the associated tables for the feature support for each model:

PIX 515/515E, Table 2

PIX 525, Table 3

PIX 535, Table 4

Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together.

Table 2 PIX 515/515E Security Appliance License Features 

PIX 515/515E
R (Restricted)
UR (Unrestricted)
FO (Failover)1
FO-AA (Failover Active/Active)1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional license: 5

2

Optional license: 5

2

Optional license: 5

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

10

25

25

25

Concurrent Firewall Conns2

48 K

130 K

130 K

130 K

Max. Physical Interfaces

3

6

6

6

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

64 MB

128 MB

128 MB

128 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table 3 PIX 525 Security Appliance License Features 

PIX 525
R (Restricted)
UR (Unrestricted)
FO (Failover)1
FO-AA (Failover Active/Active)1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

25

100

100

100

Concurrent Firewall Conns2

140 K

280 K

280 K

280 K

Max. Physical Interfaces

6

10

10

10

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

128 MB

256 MB

256 MB

256 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table 4 PIX 535 Security Appliance License Features 

PIX 535
R (Restricted)
UR (Unrestricted)
FO (Failover)1
FO-AA (Failover Active/Active)1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

50

150

150

150

Concurrent Firewall Conns2

250 K

500 K

500 K

500 K

Max. Physical Interfaces

8

14

14

14

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

512 MB

1024 MB

1024 MB

1024 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


New Features

This section lists the new features for Version 7.2(3). All new features are supported in ASDM 5.2(3).

capture Command Enhancement

The enhancement to the capture command allows the user to capture traffic and display it in real time. It also allows the user to specify command line options to filter traffic without having to configure a separate access list. This enhancement adds the [real-time] and a five-tupple [match] options. 

capture <cap_name> [[real-time] [dump] [detail [trace]] [match <prot> {host <ip> | <ip> 
<mask> | any} [eq | lt | gt <port>]  {host <ip> | <ip> <mask> | any} [eq | lt | gt 
<port>]]

Support for ESMTP over TLS

This enhancement adds the configuration parameter allow-tls [action log] in the esmtp policymap. By default, this parameter is not enabled. When it is enabled, ESMTP inspection would not mask the 250-STARTTLS echo reply from the server nor the STARTTLS command from the client. After the server replies with the 220 reply code, the ESMTP inspection turns off by itself— the ESMTP traffic on that session is no longer inspected. If the allow-tls action log parameter is configured, the system log message ASA-6-108007 is generated when TLS is started on an ESMTP session. 

policy-map type inspect esmtp esmtp_map 
parameters 
allow-tls [action log]

A new line for displaying counters associated with the allow-tls parameter is added to the show

service-policy inspect esmtp command. It is only present if allow-tls is configured in policy map. By default, this parameter is not enabled. 

show service-policy inspect esmtp

allow-tls, count 0, log 0

This enhancement adds a new system log message for the allow-tls parameter. It indicates on an esmtp session the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine will no longer inspect the traffic on this connection.

System log Number and Format:

%ASA-6-108007: TLS started on ESMTP session between client <client-side interface-name>:<client IP address>/<client port> and server <server-side interface-name>:<server IP address>/<server port>

DHCP Client

The dhcp-client client-id interface <interface name> command forces a MAC address to be stored inside a DHCP request packet instead of the default internally generated unique string. This CLI allows the security appliance to obtain a DHCP address from the ISP with this special requirement

WAAS and PIX Interoperability

The [no] inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under default inspection class and under a custom class-map. This inspection service is not enabled by default.

The keyword option waas is added to the show service-policy inspect command to display WAAS statistics. 

show service-policy inspect waas

A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.

System Log Number and Format:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

A new connection flag "W" is added int he WAAS connection. The show conn detail command is updated to reflect the new flag.

ASDM Banner Enhancement

The security appliance Version 7.2(3) software supports an ASDM banner. If configured, when you start ASDM, this banner text will appear in a dialog box with the option to continue or disconnect. The Continue option dismisses the banner and completes login as usual whereas, the Disconnect option dismisses the banner and terminates the connection. This enhancement requires the customer to accept the terms of a written policy before connecting. Following is the new CLI associated with this enhancement: 

banner {exec | login | motd | asdm} <text>

no banner {exec | login | motd | asdm} [<text>]

show banner [{exec | login | motd | asdm}]

clear banner

Important Notes

This section lists important notes related to Version 7.2(3).

User Upgrade Guide

Before upgrading to Version 7.2(3), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/pix_upgd/index.htm

Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(3) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(3) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound and Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and optimize the ACL feature set. ACL-based configurations provide the following benefits:

ACE insertion capability—Provides simplified system configuration and management, which allows you to add, delete or modify individual ACEs.

Outbound ACLs and time-based ACLs—Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling and Disabling of ACL entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.

Features not Supported

The PPTP feature is not supported.

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Caveats

The following sections describe the caveats for the Version 7.2(3).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

Open Caveats - Version 7.2(3)

Table 5 lists open caveats for Version 7.2(3).

Table 5 Open Caveats 

DDTS Number
Software Version 7.2(3)
 
 
Corrected
Caveat

CSCeh98117

No

Tunnel-group/ldap-login passwords in cleartext when viewed with more

CSCej04099

No

static xlate breaks management-access inside

CSCsc98412

No

PIX console accounting doesn't appear in ACS Logged-In User report

CSCse29407

No

pim accept-register list documentation issue

CSCse93941

No

add acl logging capability to vpn-filter

CSCsf25418

No

Traceback in Thread Name: tmatch compile after assert

CSCsg47023

No

L2TP Connections with Certificates to ASA Fail to Connect

CSCsg63145

No

Traceback with Thread Name: PIX Garbage Collector

CSCsg65434

No

Multiple ipsec peers : PIX/ASA stops processing the IPSEC peers list

CSCsg71579

No

Programming assertion malloc.c:3822 on secondary after failover from pri

CSCsg99492

No

SASL GSSAPI-Kerberos authentication not happening with Sunone Server

CSCsh48208

No

Directly connected network missing in route table

CSCsh78681

No

In use memory count displayed incorrectly

CSCsh91283

No

ASA/PIX: SunRPC inspect dropping packets on 7.0.6

CSCsi00074

No

Incorrect values returned by SSL VPN OIDs

CSCsi04673

No

FW may drop packets when VPN address pool overlaps with interface subnet

CSCsi32502

No

packet/byte counters are not populated for the session table of CRAS MIB

CSCsi35603

No

L2TP/IPSec sessions hanging when authenticating with EAP

CSCsi40796

No

ASA fails rekey with Checkpoint

CSCsi45911

No

ASA cpu approaches 100%, 80 byte blocks are leaked and mem>0 w/ssl str

CSCsi52176

No

TCP Normalizer Traceback in Thread Name: Dispatch Unit

CSCsi53577

No

OSPF goes DOWN after reload of VPN Peer

CSCsi68911

No

ASA may traceback when pushing rules from SolSoft - corrupted conn_set_t

CSCsi80155

No

memory leak found during batch test of malformed HTTP messages

CSCsi94163

No

PPPOE connection does not renegotiate immediatly after short disconnect

CSCsi98617

No

VPNFO: Standby stale sessions not removed

CSCsj01620

No

Type 0 Client-ID for RA clients not supported by some DHCP servers

CSCsj01643

No

IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode

CSCsj02948

No

%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error

CSCsj03437

No

WebVPN: RDP Icon fails after a redirect action to a Citrix Presentation

CSCsj07428

No

Idle IPSEC connections not closing out

CSCsj10151

No

Traceback in Dispatch Unit (possible double-free)

CSCsj12938

No

PIX/ASA - show ip audit count - signatures 6050 - 6053 are Informational

CSCsj18055

No

Traceroute fails through ASA if outside interface is pppoe and doing PAT

CSCsj19607

No

Traceback in Checkheaps - mem corruption PC on stride_list_node

CSCsj19904

No

Traceback in Thread Name: OSPF Router

CSCsj29444

No

VPN Client authentication fails with Novell Radius and Active Card

CSCsj32989

No

ASA traceback when running 100 user Avalanche webvpn goodput test

CSCsj42343

No

PIX 525 - bad vpif msgs are from the vpnfo module

CSCsj43076

No

Logging into standby ASA via SSH fails.

CSCsj43703

No

ASA mem leak on CRYPTO_malloc

CSCsj49481

No

WebVPN: HTTPS Page not rendered correctly while HTTP works fine

CSCsj56287

No

Traceback in Thread Name: ssh/timer

CSCsj61214

No

Lower cpu-hog syslog 711002 from Level 7 to Level 4

CSCsj66655

No

Duplicate ASP crypto table entry forwards VPN traffic using invalid SPI

CSCsj68874

No

Inspect HTTP invokes multiple times with interface service-policy

CSCsj74539

No

Traceback on Standby in Thread Name: fover_FSM_thread

CSCsj77641

No

Viewing QoS policing statistics may create traceback

CSCsj80196

No

Clientless WebVPN traffic not sent when matching crypto dynamic map ACL

CSCsj80563

No

ASA dynamic VPN match address disconnects some peers as duplicate proxy

CSCsj82413

No

QoS: class-map : match tunnel-group <tgrp-name> errors on reboot

CSCsj84640

No

Memory leak on CRYPTO_malloc

CSCsj87886

No

Failover conn replication fails while doing bidirectional NAT

CSCsj90274

No

Citrix sessions randomly disconnect

CSCsj90479

No

Traceback in Thread Name: Dispatch Unit

CSCsj92194

No

Implicit ACL 'Deny IP Any Any' Ignored on EasyVPN Client

CSCsj96159

No

Traceback when freeing a packet from TCP_MOD function

CSCsj96831

No

half-closed tcp connection behaves as an absolute timer on ASA

CSCsj97241

No

80 byte block depletion with stateful failover enabled

CSCsj98622

No

SIP: Not translate c= address if first m= has port 0 in SDP body.

CSCsj99182

No

Traceback on Standby box in Thread IPsec message handler

CSCsj99242

No

Assert: Traceback in Thread Name: Dispatch Unit

CSCsj99660

No

ASA CONSOLE TIMEOUT does not timeout

CSCsk00072

No

ASA 7.2 Firewall-MIB : no snmp object for failover lan int status

CSCsk00089

No

ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status

CSCsk00589

No

Traceback in Thread Name: Dispatch Unit

CSCsk03550

No

ASA: Route injected through RRI disappear after failover

CSCsk04594

No

traceback: watchdog crash in uauth thread

CSCsk05453

No

Programming assertion while configuring http inspection policy

CSCsk06996

No

Leak in vpnfol_fragdb:vpnfol_fragdb_rebuild on standby


Resolved Caveats - Version 7.2(3)

Table 6 lists resolved caveats for Version 7.2(3).

Table 6 Resolved Caveats 

DDTS Number
Software Version 7.2(3)
 
 
Corrected
Caveat

CSCeg00330

Yes

DHCP relay: ACK in reply to INFORM may be dropped

CSCsb45561

Yes

standby instead of active keeps sending register to RP after failover

CSCsd43563

Yes

Crypto accelerator errors seen - connections failing

CSCsd51407

Yes

Dual ISP fails after failover, routing table have stale routes

CSCse14419

Yes

ASA 7.0(4) : not randomizing TCP SACK sequence numbers

CSCse21181

Yes

Decouple Passwd-Mngt checks from LDAP Authentication-Search

CSCse49440

Yes

SNMP: incorrect cpu usage sent for CISCO-PROCESS-MIB

CSCse88291

Yes

Traceback with WEBVPN user login when memory is running low.

CSCsf30571

Yes

Traceback in ssh_init

CSCsg08640

Yes

access-list damaged and frozen, clear config acl has no effect

CSCsg09071

Yes

L2TP over IPSEC disconnections syslog are always-'User requested'

CSCsg16149

Yes

data sent with Active MAC after switchover to standby

CSCsg39936

Yes

Pix/ASA: Disabling pim on subinterface causes other interface mcast fail

CSCsg43591

Yes

SCP connection to PIX fails

CSCsg52106

Yes

Embryonic value -1 under syslog and count to host = 42949672

CSCsg53120

Yes

ASA WebVPN Time-out on Database Requests

CSCsg56876

Yes

WebVPN: traceback after applying http or IM deep inspection

CSCsg60095

Yes

VPN traffic permitted by vpn-filter is denied

CSCsg61719

Yes

SNMP: Coldstart Trap is not sent

CSCsg68181

Yes

WebVpnPortForward Java applet Certificate Expired

CSCsg68186

Yes

Malformed Regex causes traceback on ASA/PIX

CSCsg69149

Yes

Policy NAT with large ACL and HA may traceback in tmatch compile thread.

CSCsg69408

Yes

Need warning when using time based ACLs with policy NAT/PAT

CSCsg70698

Yes

Session timer is not reset during WebVPN ActiveX and Java tunneling

CSCsg76777

Yes

7.2 transparent / change of behavior : ASA does not retain the src mac

CSCsg77099

Yes

WebVPN Java archives with uncompressed entries fail through rewriter

CSCsg78524

Yes

NT Authentication (NTLM) is attempted three times with a bad password

CSCsg80370

Yes

memory leak in ftp inspection causes high cpu

CSCsg81621

Yes

Cannot authenticate user on first attempt with Unite application.

CSCsg83130

Yes

Device reload with no crashinfo file

CSCsg86020

Yes

web terminal services through webvpn on ASA might not work.

CSCsg86507

Yes

Standby traceback in dispatch unit when enabling 'per-client-max' MPF

CSCsg86538

Yes

Dynamic L2L tunnel fails if the remote peer ip is changed

CSCsg86583

Yes

JavaScript rewriting of typeof followed by src

CSCsg87808

Yes

'wr mem' fails due to snmp config; Error: (Configuration line too long)

CSCsg87815

Yes

sync config with long snmp configuration causes traceback on active unit

CSCsg87891

Yes

WebVPN: Homepage is not accessible when url-entry is disabled.

CSCsg88048

Yes

WebVPN Terminal Server ActiveX control not installed when using WebVPN

CSCsg89271

Yes

PIX 7.2.1 corrupting SDP media attributes in RTSP

CSCsg90455

Yes

VPN:Traceback in Thread Name: Dispatch Unit with fragmented cTCP packets

CSCsg92979

Yes

copy ftp from firewall fails when default passive mode is used

CSCsg93050

Yes

Inspect DCERPC failure. Packet too small error

CSCsg94165

Yes

Device reload when quit (hit q) from <more> console paged display

CSCsg94167

Yes

Kerberos SASL uses the wrong name-type for TGS request

CSCsg94762

Yes

URL caching leads to invalid filter server status on PIX/ASA

CSCsg96150

Yes

dependence between sysopt connection permit-vpn and management commands

CSCsg96247

Yes

ASA traceback - RSA keypair generation SSH function calls

CSCsg96351

Yes

http regex matching fails to match http:\/\/

CSCsg96701

Yes

traceback at Thread PIM IPv4

CSCsg96891

Yes

ASA 7.2.2.1 Traceback: Unicorn Proxy Thread

CSCsg97348

Yes

FW replying to port application requests that are not active using VPN.

CSCsg99807

Yes

ICMP (type3, code4) is not sent after learning PMTU

CSCsh01646

Yes

pptp inspect does not alter Call ID in some packets

CSCsh05517

Yes

EAP state engine triggers retransmission. Clients reply terminates LCP

CSCsh05888

Yes

Standby traceback in vpnfol_thread_msg

CSCsh06232

Yes

PIX does not open RTP connections for H323 calls

CSCsh12413

Yes

FO: Syslog 111111: Memory requested from Null Chunk seen every min.

CSCsh12711

Yes

Traceback in TCP Normalizer

CSCsh14023

Yes

TACACS+ CMD Accounting packets have a Caller-ID field of 0.0.0.0

CSCsh15587

Yes

Garbage characters printed on console at end of long show cmd

CSCsh16767

Yes

WebVPN: DWA problem with sending attachments

CSCsh17164

Yes

ping command within CONTEXT causes SSH session to hang.

CSCsh18659

Yes

ASA-WebVPN: Java Applet for Cisco Unix ACS management doesn't load

CSCsh19536

Yes

VPN-FO: Sessions not cleaned up correctly on Standby

CSCsh20618

Yes

80-byte block memory leak with asn1 decoding

CSCsh21446

Yes

Req Method HEAD is dropped when proto-violation is on at inspect HTTP

CSCsh21984

Yes

When out of available URL requests, future HTTP GETs dropped silently

CSCsh22262

Yes

FTP authen fails if trailing <cr> exists in banner & aaa proxy enabled

CSCsh22531

Yes

ASA: Qos Policing only works when in input direction

CSCsh23012

Yes

data received after static pat is removed causes traceback

CSCsh23318

Yes

When a pending URL request times out the Buffered traffic is lost

CSCsh23865

Yes

Nailed Static configuration doesnt appear in config

CSCsh23910

Yes

<