Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 7.2(4)

Downloads

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 7.2(4)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Version

Supported Platforms and Feature Licenses

New Features

capture command Enhancement

clear conn Command

IPv6 Multicast Listener Discovery Protocol v2 Support

clear ipv6 mld traffic Command

show ipv6 mld Command

debug ipv6 Command Enhancement

show debug ipv6 mld Command Enhancement

MIB Enhancement

QoS Traffic Shaping

show asp drop Command Enhancement

show asp table classify hits Command Enhancement

TCP Normalization Enhancements

TCP Urgent Flag Syslog

Timeout for SIP Provisional Media

Important Notes

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported

Downgrade to Previous Version

Caveats

Open Caveats - Version 7.2(4)

Resolved Caveats - Version 7.2(4)

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco PIX Security Appliance Release Notes Version 7.2(4)

April 2008

Contents

This document includes the following sections:

Introduction

System Requirements

Supported Platforms and Feature Licenses

New Features

Important Notes

Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(4).

The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.

For more information on all of the new features, see New Features.

Additionally, the security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.

System Requirements

The sections that follow list the system requirements for operating a security appliance.

Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(4).

Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists flash memory requirements for Version 7.2(4).

Table 1 Flash Memory Requirements 

Security Appliance Model
Flash Memory Required in Version 7.2(4)

PIX 515/515E

16 MB

PIX 525

16 MB

PIX 535

16 MB


For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Software Requirements

Version 7.2(4) requires the following:

1. The minimum software version required before performing an upgrade to PIX Version 7.2(4) is PIX Version 7.0. If you are running a PIX version prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.

To upgrade your PIX software image, go to the following website: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix

2. For information on specific licenses supported on each model of the security appliance, go to the following website: www.cisco.com/go/license

3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See "Upgrading to a New Software Version" for new installation requirements.

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.2(4). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.2(4). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 7.2(4) requires Cisco IOS Release 12.3(T)T or later running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 7.2(4) requires Cisco VPN 3000 concentrator Version 3.6 or later for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 7.2(4) supports the Cisco VPN client Version 3.6 or later that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or later that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN remote v6.3

Version 7.2(4) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote v3.x/4x

Version 7.2(4) Cisco Easy VPN server requires the Version 3.6 or later of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 7.2(4) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance. Alternatively, you can see the software version, on the Cisco ASDM home page.

Upgrading to a New Software Version

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Note PIX and ASDM images must be compatible for example PIX Version 7.2(4) is compatible to ASDM Version 5.2(4). ASDM will not work with an incompatible platform version. You will get an error message and ASDM will close.

You can also use the command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.

To upgrade from Version 7.1.(x) to 7.2(4), you must perform the following steps:

Step 1 Load the new Version 7.2(4) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Reload the device so that it will start using the Version 7.2(4) image.

Step 3 Copy new ASDM Version 5.2(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/ asdm file

To downgrade from Version 7.2(4) to 7.1.(x), you must perform the following steps:

Step 1 Load the earlier Version 7.1(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Reload the device so that it will be use the Version 7.1(x) image.

Step 3 Copy the ASDM Version 5.1(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/ asdm file

Supported Platforms and Feature Licenses

This software version supports the following platforms; see the associated tables for the feature support for each model:

PIX 515/515E, Table 2

PIX 525, Table 3

PIX 535, Table 4

Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together.

Table 2 PIX 515/515E Security Appliance License Features 

PIX 515/515E
R (Restricted)
UR (Unrestricted)
FO (Failover)1
FO-AA (Failover Active/Active)1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional license: 5

2

Optional license: 5

2

Optional license: 5

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

10

25

25

25

Concurrent Firewall Conns2

48 K

130 K

130 K

130 K

Max. Physical Interfaces

3

6

6

6

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

64 MB

128 MB

128 MB

128 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table 3 PIX 525 Security Appliance License Features 

PIX 525
R (Restricted)
UR (Unrestricted)
FO (Failover)1
FO-AA (Failover Active/Active)1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

25

100

100

100

Concurrent Firewall Conns2

140 K

280 K

280 K

280 K

Max. Physical Interfaces

6

10

10

10

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

128 MB

256 MB

256 MB

256 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table 4 PIX 535 Security Appliance License Features 

PIX 535
R (Restricted)
UR (Unrestricted)
FO (Failover)1
FO-AA (Failover Active/Active)1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

50

150

150

150

Concurrent Firewall Conns2

250 K

500 K

500 K

500 K

Max. Physical Interfaces

8

14

14

14

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

512 MB

1024 MB

1024 MB

1024 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


New Features

This section lists the new features for Version 7.2(4). All new features are supported in ASDM 5.2(4).

capture command Enhancement

The capture asp type asp-drop all command captures all packets that the security appliance drops, including those dropped due to security checks.

clear conn Command

The clear conn command was added to remove connections.

IPv6 Multicast Listener Discovery Protocol v2 Support

The PIX security appliance now supports the Multicast Listener Discovery Protocol (MLD) Version 2, to discover the presence of multicast address listeners on their directly attached links, and to discover specifically which multicast addresses are of interest to those neighboring nodes. PIX becomes a multicast address listener, or a host, but not a a multicast router, and responds to Multicast Listener Queries and sends Multicast Listener Reports only.

The following commands support this feature:

show ipv6 mld Command

debug ipv6 Command Enhancement

show debug ipv6 mld Command Enhancement

clear ipv6 mld traffic Command

The clear ipv6 mld traffic command allows you to reset all the Multicast Listener Discovery traffic counters. the syntax is as follows: 

clear ipv6 mld traffic

show ipv6 mld Command

The show ipv6 mld command allows you to display all the Multicast Listener Discovery traffic counters. the syntax is as follows: 

show ipv6 mld traffic

debug ipv6 Command Enhancement

The enhancement to the debug ipv6 command allows the user to display the debug messages for MLD, to see whether the MLD protocol activities are working properly. This enhancement adds the mld option. 

debug ipv6 {icmp | interface | mld | nd | packet | routing}

show debug ipv6 mld Command Enhancement

The enhancement to the show debug ipv6 command allows the user to display whether debug ipv6 mld is enabled or disabled.

show debug ipv6 mld

MIB Enhancement

The CISCO-REMOTE-ACCESS-MONITOR-MIB is implemented more completely.

QoS Traffic Shaping

If you have a device that transmits packets at a high speed, such as a security appliance with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem is a bottleneck at which packets are frequently dropped. To manage networks with differing line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See the crypto ipsec security-association replay command, which lets you configure the IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For IPSec packets, out-of-order packets that are not within the anti-replay window generate warning syslog messages. These warnings become false alarms in the case of priority queueing. This new command avoids possible false alarms.

show asp drop Command Enhancement

The show asp drop command now displays the capture asp-drop type keywords. This enhancement displays the particular capture type as part of the output of the show asp drop command.

A timestamp was also added indicating when the last time the asp drop counters were cleared.

show asp table classify hits Command Enhancement

The hits option was added to the show asp table classify command, showing the timestamp indicating the last time the asp table counters were cleared. It also shows rules with hits values not equal to zero. This permits users to quickly see what rules are being hit, especially since a simple configuration may end up with hundreds of entries in the show asp table classify command.

TCP Normalization Enhancements

You can now configure TCP normalization actions for certain packet types. Previously, the default actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to allow the packets.

TCP invalid ACK check (the invalid-ack command)

TCP packet sequence past window check (the seq-past-window command)

TCP SYN-ACK with data check (the synack-data command)

You can also set the TCP out-of-order packet buffer timeout (the queue command timeout keyword). Previously, the timeout was 4 seconds. You can now set the timeout to another value.

The default action for packets that exceed MSS has changed from drop to allow (the exceed-mss command).

The following non-configurable actions have changed from drop to clear for these packet types:

Bad option length in TCP

TCP Window scale on non-SYN

Bad TCP window scale value

Bad TCP SACK ALLOW option

TCP Urgent Flag Syslog

When the TCP urgent flag of a TCP packet is cleared and debugging is enabled, a syslog is generated.

Timeout for SIP Provisional Media

You can now configure the timeout for SIP provisional media using the timeout sip-provisional-media command.

Important Notes

This section lists important notes related to Version 7.2(4).

User Upgrade Guide

Before upgrading to Version 7.2(4), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(4) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(4) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound and Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and optimize the ACL feature set. ACL-based configurations provide the following benefits:

ACE insertion capability—Provides simplified system configuration and management, which allows you to add, delete or modify individual ACEs.

Outbound ACLs and time-based ACLs—Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling and Disabling of ACL entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.

Features not Supported

The PPTP feature is not supported.

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Caveats

The following sections describe the caveats for the Version 7.2(4).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

Open Caveats - Version 7.2(4)

Table 5 lists open caveats for Version 7.2(4).

Table 5 Open Caveats 

DDTS Number
Software Version 7.2(4)
 
 
Corrected
Caveat

CSCsg44891

No

Traceback in tmatch compile thread

CSCsg71579

No

Programming assertion malloc.c:3822 on secondary after failover from pri

CSCsg99492

No

SASL GSSAPI-Kerberos authentication not happening with Sunone Server

CSCsh91747

No

SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE

CSCsk19485

No

syslog TCP_CONN_END shows Reset-O for ASA generated TCP RST

CSCsk30698

No

PIX/ASA may stop generating syslogs all together

CSCsk45220

No

Regex used in CLI command filtering causes device reload

CSCsk48344

No

Inspect http is not matching server response fields

CSCsk89474

No

URL filtering not performed for u-turn vpn traffic

CSCsk95246

No

no router rip, followed by router rip & network cause vPifnum & tracebac

CSCsk96804

No

Traceback in Thread Name: Dispatch Unit with inspect h323

CSCsl04448

No

Cannot remove url-server despite having removed url-block cmd in 7.2.3

CSCsl10052

No

new L2TP sessions are denied after %ASA-4-403103 is seen in the logs

CSCsl18071

No

Windows Media Player can not play media file with/without L-2-L Ipsec

CSCsl22480

No

CIFS share not working for Clientless SSL VPN

CSCsl41515

No

ASA traceback in Dispatch Unit (Old pc 0x00223a67 ebp 0x018b12f8)

CSCsl52895

No

ASA 7.2.3 number of IPSec SA not replicated in failover unit

CSCsl82200

No

IPSec not encrypting after failover

CSCsl90215

No

Traceback may occur when access-list changes pushed from SolSoft

CSCsl95928

No

High CPU utilization due to OSPF

CSCsm16160

No

Traceback may occur in pix_flash_config_thread w/ dynamic DNS cfg'ed

CSCsm55447

No

ASA/WebVPN Citrix sessions randomly dropped

CSCsm55491

No

ASA Disconnects voice call when # key is entered

CSCsm55947

No

Failover interface missing from ifTable

CSCsm57291

No

ASA/PIX traceback due to memory corruption during IPSec SA deletion

CSCsm57303

No

Communication failure between ASA and AIP-SSM

CSCsm65019

No

Websense encryption is not supported error on ASA

CSCsm68957

No

SIP inspection not fixing-up addr in Refer-To replaces section

CSCsm69219

No

GTP: Drop GTP message creating PDP context when no filter

CSCsm69271

No

GTP: Drop GTP message based on message ID when permitted

CSCsm73923

No

SIP:session timeout when forwarding a call is improperly set

CSCsm77854

No

%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error

CSCsm79787

No

drop for inspect skinny is not counted in show service-policy

CSCsm85872

No

snmp trap for PHYSICAL interface is not sent when a port goes down

CSCsm87233

No

Traffic flow stops on a wireless hand-off or a reconnect

CSCsm87892

No

ASA 5505 Interface Hangs

CSCsm92275

No

SQL inspection rewrites IP addresses embeded in SQL data

CSCsm92613

No

ASP drop capture missing type for vpn-handle-error

CSCso01003

No

Crypto accelerator errors seen in syslog

CSCso01629

No

RTSP inspection doesn't drop non-RTSP traffic with TCP/554

CSCso01702

No

SIP: RTP/RTCP pinholes are allocated unexpectedly between same interface

CSCso03582

No

Overrun counter increments when REINVITE is recevied

CSCso38699

No

CPU Hog when replicating config to standby unit

CSCso39525

No

failed to open ASA webvpn homepage

CSCso43026

No

Traceback in Thread Name: Dispatch Unit (Old pc 0x00223a67 ebp 0x018b)

CSCso43383

No

SIP:media xlate idle timer is not refreshed when receiving 200ok

CSCso45557

No

Traceback in tmatch compile thread (user assertion)


Resolved Caveats - Version 7.2(4)

Table 6 lists resolved caveats for Version 7.2(4).

Table 6 Resolved Caveats 

DDTS Number
Software Version 7.2(4)
 
 
Corrected
Caveat

CSCsc98412

Yes

Pix console accounting doesn't appear in ACS Logged-In User report

CSCsd65922

Yes

webvpn acls should allow wilcard * hostnames

CSCsg48442

Yes

Ping through ASA fails when using interface PAT on PPPoE interface

CSCsh55107

Yes

DHCP relay fails when static translation for all hosts configured

CSCsh91283

Yes

Inspect SunRPC drops segmented packets

CSCsi14147

Yes

SSH conn drops while writing a file to ASA5505 file system

CSCsi35603

Yes

L2TP/IPSec sessions hanging when authenticating with EAP

CSCsi41346

Yes

user session and idle timeout values not honored by cut-thru-pxy

CSCsi49983

Yes

Periodic HW crypto errors 402123 & 402125 see with L2TP/IPSEC

CSCsi53577

Yes

OSPF goes DOWN after reload of VPN Peer

CSCsi55386

Yes

PKI: ocsp malformed request error - OpenCA/OCSPD responder

CSCsi60244

Yes

webvpn_session struct is not correctly validated in failover code

CSCsi65122

Yes

Overlapping static with NAT exemption causes xlate errors on standby

CSCsi68911

Yes

ASA may traceback when pushing rules from SolSoft - corrupted conn_set_t

CSCsi84143

Yes

Mem del-free-poisoner fails to svc alloc requests from the poisoned pool

CSCsi94163

Yes

PPPOE connection does not renegotiate immediatly after short disconnect

CSCsi98616

Yes

The TCP connections in SVC won't survive after consecutive failovers

CSCsj01643

Yes

IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode

CSCsj12938

Yes

PIX/ASA - show ip audit count - signatures 6050 - 6053 are Informational

CSCsj40648

Yes

Traceback in Thread Name: emweb/https

CSCsj41977

Yes

cert handling inconsistent between physical and LB interfaces

CSCsj43076

Yes

Logging into standby ASA via SSH fails

CSCsj49481

Yes

WebVPN: HTTPS Page not rendered correctly while HTTP works fine

CSCsj51849

Yes

cpu-hog observed in process nic status poll thread

CSCsj62231

Yes

traceback pix_flash_config_thread while booting with a 4K key ID cert

CSCsj66185

Yes

ASA: Switching primary and secondary unit can cause duplicate MAC

CSCsj66667

Yes

group-url hostname should not be case-sensitive

CSCsj78675

Yes

HTTP host header not included in PKI requests with terminal enrollment

CSCsj80196

Yes

Clientless WebVPN traffic not sent when matching crypto dynamic map ACL

CSCsj80563

Yes

ASA dynamic VPN match address disconnects some peers as duplicate proxy

CSCsj82105

Yes

ASA vulnerable to HTTP Splitting

CSCsj82370

Yes

WebVPN: OWA left pane unresponsive when trying to access the folders

CSCsj82413

Yes

QoS: class-map : match tunnel-group <tgrp-name> errors on reboot

CSCsj83531

Yes

Dynamic VPN phase 2 neg with ID_IPV4_ADDR_RANGE accepted as 0.0.0.0/0

CSCsj84405

Yes

Poison route causes default route in ASP routing table to be deleted

CSCsj86636

Yes

Frames offset and toolbar missing in mangled site

CSCsj90274

Yes

Citrix sessions randomly disconnect

CSCsj90479

Yes

IPS and fragments cause Traceback in Thread Name: Dispatch Unit

CSCsj91809

Yes

Clientless email proxy POP3S with Outlook 2007 not working

CSCsj92194

Yes

Implicit ACL 'Deny IP Any Any' Ignored on EasyVPN Client

CSCsj96831

Yes

half-closed tcp connection behaves as an absolute timer on ASA

CSCsj97241

Yes

80 byte block depletion with stateful failover enabled

CSCsj98458

Yes

LDAP CRL checking failure for Cert Chain

CSCsj98622

Yes

SIP: Not translate c= address if first m= has port 0 in SDP body

CSCsj99242

Yes

Assert: Traceback in Thread Name: Dispatch Unit

CSCsj99660

Yes

ASA CONSOLE TIMEOUT does not timeout

CSCsk00089

Yes

ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status

CSCsk00547

Yes

Traceback in ci/console when modifying cmap inspection_default

CSCsk01426

Yes

URL filtering broken if multiple inspection enabled on same traffic

CSCsk03550

Yes

ASA: Route injected through RRI disappear after failover

CSCsk05432

Yes

PKI: Default attribute for an LDAP CRL query should include a binary CRL

CSCsk06989

Yes

WebVPN: Traceback in Unicorn while rewriting Java applets

CSCsk06996

Yes

Leak in vpnfol_fragdb:vpnfol_fragdb_rebuild on standby

CSCsk10156

Yes

VPN traffic with static PAT to outside ip address denied by outside ACL

CSCsk12859

Yes

ASA 8.0.2 Traceback under heavy loads of traffic

CSCsk13421

Yes

Firewall may traceback while capturing WebVPN Data

CSCsk18083

Yes

nat exemption access-list not checked for protocol or port when applied

CSCsk18084

Yes

cikeTunnelTable does not populate for some of the ISAKMP SA's

CSCsk19065

Yes

Excessive High CPU and packets drops when applying ACL to an interface

CSCsk19882

Yes

Memory leak in ASA due to WEBVPN compression

CSCsk25164

Yes

IPSec VPN Client Update not working for mac-> headend issue

CSCsk26830

Yes

Certificate authorization broken when using all DN fields as username

CSCsk27085

Yes

ASA 5505 switch stops forwarding arp packets to ASA

CSCsk28847

Yes

ASA only sends six (6) Radius IETF class 25 attributes for accounting

CSCsk28972

Yes

Traceback:Thread Name: IKE Daemon when connecting w/ certain certificate

CSCsk31007

Yes

IP: traceback in Thread Name: Dispatch Unit

CSCsk31129

Yes

SIP inspection breaks SIP authentication

CSCsk33925

Yes

WebVPN: Regression with OWA as a result of CSCsj82370

CSCsk36399

Yes

Traceback in PIX Garbage Collector (Old pc 0x008b619d ebp 0x0261ed60)

CSCsk37130

Yes

Clear button goes away too much from Login button

CSCsk38962

Yes

memory leak in webvpn failover

CSCsk39154

Yes

PIX/ASA dynamic l2l vpn does not work in 8.0.2.16

CSCsk39286

Yes

ASA5505:Setting Duplex causes a 5 or 6 second outage on the interface

CSCsk41454

Yes

Traceback in thread name: ssh

CSCsk43103

Yes

Traceback in Thread Name emweb/https

CSCsk43232

Yes

traceback with http traffic when url filtering and http inspect enabled

CSCsk44832

Yes

Primary does not become active when pri & sec are booted together

CSCsk45117

Yes

Traceback in webvpn_url_mangle.c

CSCsk45867

Yes

clear conf sec causes trace back on EIGRP thread

CSCsk45943

Yes

PIX: proxy-arps on all interfaces for the vpn-pool

CSCsk47949

Yes

ASDM hangs at 47% if packet losses on the network

CSCsk48199