Adaptive Security Appliance Hot Issues from Cisco TAC

Duplicate ASP crypto table entry causes firewall to not encrypt traffic , Fixed CSCtb53186

Symptom: When testing 100 site to site vpn connections on an ASA running 8.2.1 one or two tunnels would not encrypt traffic. The connections were established and dropped multiple times before seeing this issue.
Conditions: "sho asp table vpn-context detail " shows duplicate crypto table entries. Two current and one left over from previous connection. This creates the problem of the traffic not being encrypted.
Workaround: Reload ASA.

, Open CSCsw48786

Symptom: When enabling URL filtering on the Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM), web browsing may be unreasonably slow. This is usually due to a misconfiguration or issue within the network that is time consuming to diagnose from a TAC perspective. This bug is a request to add some troubleshooting tools to the CSC interface to assist TAC in supporting the end user..
Conditions: This covers all versions of CSC code.
Workaround: N/A

, Open CSCtd36473

Symptom: Outbound encryption traffic in an IPsec tunnel may fail, even if inbound decryption traffic is working.
Conditions: This issue has been observed on an IPsec connection after multiple rekeys, but the trigger condition is not clear. The presence of this issue can be established by checking the output of "show asp drop" and verifying that the Expired VPN context counter is increasing for each outbound packet sent.
Workaround: None.
Further Problem Description:

ASA 8.0(5) - "LU allocate connection failed" , Open CSCte80027

Symptom: %ASA-3-210005: LU allocate connection failed error messages on standby unit caused by failed replication of IPSec connections. In debugs message "Failed to create flow (dropped)" can be seen for subnet which is actually pool created for IPSec connections...and it seems that the reason for flow replication failure was because of acl-drop...
Conditions: ASA in failover mode running 8.0(5)
Workaround: Downgrade to 8.0(4) code

ASA5580 traceback in thread DATAPATH-2-476, eip rt_timer_cancel_callback , Open CSCte43903

Symptom: ASA5580 traceback on thread name DATAPATH-2-476
Conditions: Observed on 8.2.1.11
Workaround: No known workaround

ASA fails to redirect traffic to WCCP cache server , Fixed CSCsy82260

At certain occasions after a failure the ASA fails to redirect traffic on TCP ports 80 and 443 to the WCCP cache servers. This problem occurs at any time during the day. We have observed that the problem always happens after a failure in the network that causes the ASA to momentarily lose communicate with the WCCP servers. This can be a failure initiated on the WCCP servers themselves or any connection devices between the ASA and the WCCP servers. We have two (2) WCCP cache servers, if any one of these servers is brought down for maintenance, we experience the problem as well. Traffic will not be redirected to the remaining online server. The 1st thing we see on the ASA is log messages indicating communication with web-cache server has been lost, as shown below: Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/90 lost Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/91 lost Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/92 lost The IP addresses for our web-cache servers are 172.20.143.11 and 172.20.143.12. When the connection failure caused by what ever reason (outside of the ASA itself) is restore, no traffic is redirected by the ASA. The show WCCP commands show everything is normal, it is able to talk with the web-cache servers. The symptoms that were observed in troubleshooting were that "show wccp 90 detail" on the ASA displayed redirected packet counters that were not incrementing. All other WCCP diagnostics appeared normal (Here I Am & I See You heartbeat packets were incrementing) on both the ASAs and the Blue Coat proxies, and "show wccp 90" on the ASA indicated 1 WCCP router (the ASA) and 2 WCCP caches (the Blue Coat proxies), as expected. User traffic will be reaching the internet directly without redirection. We did not notice this problem until after upgrading the ASA code to 8.1.2(11) code on 02/02/2009. The previous code were running prior to that was 8.1.2(7). The problem could have been there on the previous code but we just did not notice it until we were running 8.1.2(11). Please note we do not see this problem at all when the ASA itself fails or is reloaded. It always occurs when there is any other failure which causes web-cache communication to be lost Work around The steps outlined below show how we resolve this issue when it happens. 1. Disable WCCP on Blue Coat proxy 1 and proxy 2. 2. Remove the WCCP commands on the ASA: no wccp interface inside 90 redirect in no wccp 90 redirect-list 101 password Bluecoat no wccp 91 redirect-list 133 password Bluecoat no wccp 92 redirect-list 134 password Bluecoat no wccp 93 redirect-list 135 password Bluecoat no wccp 94 redirect-list 136 password Bluecoat no wccp 95 redirect-list 137 password Bluecoat no wccp 96 redirect-list 138 password Bluecoat no wccp 97 redirect-list 139 password Bluecoat 3. Reconfigure WCCP commands on the ASA: wccp 90 redirect-list 101 password Bluecoat wccp 91 redirect-list 133 password Bluecoat wccp 92 redirect-list 134 password Bluecoat wccp 93 redirect-list 135 password Bluecoat wccp 94 redirect-list 136 password Bluecoat wccp 95 redirect-list 137 password Bluecoat wccp 96 redirect-list 138 password Bluecoat wccp 97 redirect-list 139 password Bluecoat wccp interface inside 90 redirect in 4. Enable WCCP on Blue Coat proxy 1 and proxy 2. 5. Observe that Here I Am & I See You heartbeat packets were incrementing on both the ASAs and the Blue Coat proxies. 6. Observe that redirected packet counters were incrementing on the ASA. 7. Confirm from our PCs that web traffic was being redirected from the ASA to the Blue Coat proxies for authentication and filtering.

ASA traceback in Thread Name: Dispatch Unit, Abort: Assert Failure , Fixed CSCta55072

Symptom: ASA intermittent crash at Thread Name: Dispatch Unit, Abort: Assert Failure
Conditions: Running 8.2.1version. The ASA5505 box has a basic license with Inside hosts limit. When the total number of inside hosts exceeds the limit, it may trigger the crash. If there is no limit for inside hosts with the license, the crash won't be triggered.
Workaround: No workaround
Further Problem Description:

ASA dropping the packet instead of encrypting it. , Open CSCso50996

Symptom: ASA/PIX stops encrypting data to a remote IPSec peer (either L2L or Remote Access).
Conditions: The problem is that after an IPSec SA goes down and comes back up (including phase 2 rekeys), it's possible that a duplicate vpn-context and classifier entry are created and added to the ASA's ASP classifier table for crypto. The ASA should only have a single ASP classifier/vpn-context per IPSec flow (ie. inbound vs. outbound) in its database.
Workaround: Reload the ASA.

CSC 6.3 kernel's TCP stack conn closing can cause corrupt http pages , Fixed CSCtd04067

Symptom: When browsing pages through the CSC module, sometimes some pages might not fully load, or load half, or corrupt, or with scrambled content.
Conditions: Only running CSC 6.3 and browsing using IE. Note that this is not a common case. In other words, in case there are corrupt pages or loading issues, that should not always be attributed to the CSC module.
Workaround: Downgrade to CSC 6.2.
Further Problem Description: This behavior is only noticed when the browser sends an extra TCP ACK, Window Update packet after ACKing the 200_OK with FIN flag set. If the browser sends a FIN after the ACK to the 200_OK FIN the pages shows properly. It was noticed in some corner cases only using IE. Firefox worked ok. Packet captures on the browsing client show RSTs coming from the server when the client does not send a FIN after ACKing the final 200_OK with FIN flag set from the server.

, Fixed CSCtb17498

Symptom: ASA traceback in 'Thread Name: ssh' when working with captures
Conditions: Captures configured on ASA.
Workaround: None.

Traceback in scheduler , Fixed CSCsk85428

Symptom: Traceback in scheduler. This traceback could happen in any thread.
Conditions: Cisco ASA/PIX running some versions of 7.0, 7.1, and 7.2. This condition is a very rare timing condition . It is not induced or affected by any configuration on the box or any external stimulus. It could happen in any release after the following releases: 007.000(006.037) 007.001(002.058) 007.002(002.027)
Workaround: None

CSC does not recover by itself from auto update corruption , Open CSCtc37947

Symptom: Some signatures may fail to update even though a newer version of signatures is available in TrendMicro repository.
Conditions: Sporadic, during normal operation.
Workaround: From root account on CSC remove the temporary files created for auto update. Restart the services.
Further Problem Description:

ASDM fails to load due to out of DMA memory when logging is configured , Fixed CSCtb58989

Symptom: ASDM fails to load on ASA 8.2, due to no available DMA memory. This issue occurs if logging is enabled along with crypto tunnels.
Conditions: Logging is enabled. Crypto (IPSec, SSL) is also enabled.
Workaround: Downgrade ASA to 8.0.x or configure the logging queue to a value of 512. After restoring the logging queue to default, need to reload the box to reclaim DMA memory.

, Fixed CSCsx99960

Symptom: Secondary ASA 5580 running in active/active failover mode having group 2 as active crashed in CP Processing thread -->
Conditions: ASA running 8.1.1.12 with normal work load.
Workaround: None-->
Further Problem Description:

access-list logging prints 106100 syslog always at informational level , Fixed CSCsz73284

Symptom: Logging message 106100 always prints at level informational. As a result, logging message 106100 is not printed when logging level is set to lower than informational for both access-list and logging configuration
Conditions: Syslog level set to lower than informational (level 6) for both access-list and logging
Workaround: configure the following: logging list mylist level notifications logging list mylist message 106100 logging trap mylist This will allow only notification level syslogs and 106100 to be logged.

WebVPN: Implement Split Tunneling w Smart Tunnels , Open CSCsi40901

Symptom: Currently, WebVPN Smart-Tunnel configuration will not support Split Tunneling with Smart Tunnels This bug is an enhancement request to have smart-tunnel configuration working with Split Tunneling
Conditions: ASA 8.0.2 or 8.0.3 code with Clientless WEBVPN and Smart-Tunnel configured
Workaround: If you connect with IE all subsequent IE processes will be ST if SmartTunnel lists are used. Therefore, to be able to reach a site and not through the ST launch and use a different browsers, such as FireFox. Same principal applies if the WebVPN and SmartTunnel was launched in FireFox then Internet Explorer (IE) will not be tunneled, thus achieving the split tunnel effect until this feature is implemented. FYI: Ensure no add-ons in FireFox prevent the SmartTunnel from launching and allow the ASA to be ALLOWED in the FF add-ons under Tools > Options > Security > enable 'Warn me if sites try to install add-ons' > Exceptions then add the ASA FQDN or IP address in the Allow Site list.

PP: One way audio between out-phones when they are behind a Nat router , Fixed CSCsz49463

Symptom: There is one way audio between 2 outside phones if they are behind a NAT router and the ASA is configured with Interface MTA.
Workaround: The work around for this issue is to configure Global MTA instead of interface MTA on ASA.

coredump.cfg file gets rewritten every time show run is executed , Fixed CSCsz85597

Symptom: Each time you issue a "show running-config" on an ASA, the coredumpinfo/coredump.cfg on the flash gets rewritten.
Conditions: "show running-config" is issued on an ASA running 8.2(1) or later
Workaround: None

, Fixed CSCtb42871

Symptom: ASA 8.2.1 crashes in Thread Name: PIX Garbage Collector
Conditions: software 8.2.1
Workaround: none
Further Problem Description:

the procedure of copying a file from ramfs to flash should be atomic , Fixed CSCsy77628

Symptom: "%ERROR: copying 'disk0:/csco_config/97/customization/index.ini' to a temporary ramfs file failed" or similar message
Conditions: During WebVPN customization configuration (while pushing config files)
Workaround: Issue "revert webvpn all" to clear all WebVPN config and reconfigure from scratch.
Further Problem Description: n/a

CSC module to support https requests in URL filtering , Open CSCsh18404

Symptom: When users access web pages via "https" URLs, those requests are not being sent to the URL filter server for lookup.
Conditions: CSC module running any code version. URL blocking and/or filtering enabled.
Workaround: None known.
Further Problem Description: This is an enhancement request to be considered for implementation by Trend Micro.

IMPORTANT TLS/SSL SECURITY UPDATE , Fixed CSCtd00697

Summary: An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

, Fixed CSCsy71401

Symptom: The ASA will crash if changes are made to an object group. The crash thread will be whatever process was used for connecting to the ASA (ssh, telnet, ci console, etc). The crash dump will indicate that CPU and Memory were at 99% utilization.
Conditions: Object groups must be used by the ASA in the ACL.
Workaround: None.

show memory in a context shows incorrect memory usage , Open CSCsx64778

Symptom: Some contexts in a PIX/ASA may show excessively high memory consumption when issuing the "show memory" command. The issue is purely cosmetic. In the system mode, the memory use looks normal: ######## show mem detail Free memory: 402674352 bytes (75%) Used memory: Allocated memory in use: 111063456 bytes (21%) Reserved memory: 23133104 bytes ( 4%) ----------------------------- ---------------- Total memory: 536870912 bytes (100%) ################### However in a context, it may not look normal: ######### ------------------ Context ------------------ show mem detail Used memory: 377256744 bytes (70%) ------------- ---------------- Total memory: 536870912 bytes (100%) Most used memory: 4294967088 bytes (800%) RVAPstm03/IMB# show mem detail Used memory: 377367216 bytes (70%) ------------- ---------------- Total memory: 536870912 bytes (100%) Most used memory: 4294967088 bytes (800%) ###########################################
Conditions: This issue is purely cosmetic and does not appear to have any performance impact.
Workaround: There is no known workaround at this time.

, Fixed CSCta03382

Symptom: With SQLNET inspection Oracle database connection drops errors with -ORA-12569 TNS packet checksum failure -ORA-03106 fatal two-task communication protocol error if a specific query sent. Also, the following syslog may be printed: %ASA-4-507003: tcp flow from dmz:172.20.1.1/65000 to inside:172.16.1.1/1521 terminated by inspection engine, reason - proxy inspector drop reset.
Conditions: ASA with SQLNET inspection
Workaround: Disabling SQLNET inspection is an option as long as they are not doing NAT.

Double authentication broken in 8.2.2 when use-primary-username is conf. , Open CSCte66568

Symptom: ASA 8.2.2 might cause authentication issues on WebVPN portal while AnyConnect works still great.
Conditions: Double authentication is configured under tunnel group in use.
Workaround: Removing the "use-primary-username" option from the config will allow the connection to proceed. The user will have to type their user name in twice though. Disabling the double authentication or downgrading to 8.2.1 acts as only workaround for now.

Traceback in Thread Name: Unicorn Admin Handler , Open CSCta02170

Symptom: ASA reloads due to block corruption.
Conditions: ASA5550 or ASA with 4GE I/O module running 8.2.1 code and using interfaces in slot 0 and slot 1.
Workaround: Do not use interfaces in slot 1 since this triggers the problem.

H323 inspection fails when multiple TPKT messages in IP packet , Fixed CSCta62631

Symptom: When H323 traffic is traversing the ASA, and if that H323 traffic has IP packets that contain multiple TPKT messages, the firewall might fail to correctly process the H323 information and perform the necessary inspections. One symptom might be that internal IP addresses in the payload of the TCP packets are not correctly "fixed-up" by the firewall if they are subjected to address translation on the firewall.
Conditions: All of the following conditions must be met to hit this problem: 1) H323 traffic must traverse the firewall, and the IP packets in these flows must contain more than one TPKT message per IP packet. 2) The H323 inspection must be enabled on the firewall.
Workaround: Remove the H323 inspection with the command 'no inspect h323' in the policy applied to the firewall, open the access-lists to allow the necessary audio streams, and ensure the H323 endpoints are not subjected to NAT by the firewall.

WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put , Fixed CSCtb64913

Symptom: ASA crashes in Thread Name: Dispatch Unit Conditions: Experienced in interim releases 8.0.4.29 & 8.0.4.32 Workaround: none at this time Further Problem Description:

ASA not displaying pictures on the portal page , Open CSCtd28327

Symptom: ASA not displaying some pictures on the login/portal page. Instead a "Logo" text is shown
Conditions: ASA running 8.0(5) image and image size has to be above 17K
Workaround: Downgrade to any 8.0(4) interims or upgrade to 8.2(1) which is unaffected.

, Fixed CSCsy75345

Symptom: In certain condition (mainly in failover mode) the standby address cannot be pinged and show failover show the interface flapping or in Normal (Waiting) state
Conditions: - you use 4ge-ssm - you have configured on some port <8 subinterface and in some others >8 subinterface: example: context blah1 allocate-interface GigabitEthernet0/3 allocate-interface GigabitEthernet0/3.1 allocate-interface GigabitEthernet0/3.10-GigabitEthernet0/3.11 allocate-interface GigabitEthernet1/0.10 allocate-interface GigabitEthernet1/1.10-GigabitEthernet1/1.21 <---------- (> 8 subint) allocate-interface GigabitEthernet1/1.44 visible allocate-interface GigabitEthernet1/2.10-GigabitEthernet1/2.15 <----------- (< 8 subint)
Workaround: can be to set ALL the ports to have >8 subinterface
Further Problem Description:

Page fault in IP thread under high traffic load , Open CSCsr25122

Symptom: Tracebacks with Thread name : IP Thread
Conditions: Usually when the device is under heavy load with both through and to-the-box traffic. Note: The problem is present only on ASA 8.0 and later releases.
Workaround: none at this time
Further Problem Description: Tracebacks on active failover PIX with Thread name : IP Thread Also could occur on standalone PIX.

ASA :: VPN-Session incorrectly shows 100% Load for sslvpn , Open CSCsz23972

Symptom: vpn-sessiondb will incorrectly show 100% load when no users are connected. This will prohibit new sessions from being created.
Conditions: seen in 8.0.4.28 after 12 days of uptime. ASAs in failover pair
Workaround: reload ASA
Further Problem Description:

ASA traceback in thread IPsec message handler , Terminated CSCtd99335

Symptom: ASA may reload with the thread in IPsec message handler
Conditions: ASA running 8.2.1.12 release.
Workaround: Upgrade to 8.2.2

IKE FSM for AM responder gets into bad state + error loop , Fixed CSCsq91271

Symptom: IKE FSM in error loop for a deleted user (not in the config anymore), no actual IKE exchange taking place. [IKEv1]: Group = group, Username = username, IP = 10.1.1.1, Reaper overriding refCnt [0] and tunnelCnt [0] -- deleting SA! [IKEv1]: Group = group, Username = username, IP = 10.1.1.1, SA lock refCnt = 0, bitmask = 00000080, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0 [IKEv1 DEBUG]: Group = group, Username = username, IP = 10.1.1.1, IKE AM Responder FSM error history (struct &0x4e41b20) , : NullState, EV_RCV_DELETE-->NullState, NullEvent-->NullState, EV_START_TM-->AM_STANDBY_REKEY, EV_START_TM-->AM_TM_INIT_XAUTH_V6H, EV_RESEND_MSG-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent [IKEv1]: fsmDriver returned error
Conditions: 7.2.4, cause unclear
Workaround: none (reboot would most likely solve the issue)
Further Problem Description: none so far

ASA 8.0.5 snmp-server re-configuration can cause socket used messages , Fixed CSCte18319

Symptom: As of ASA 8.0.5 following messages can be seen when snmp-server is reconfigured: -------------- UDP: ERROR - socket 41216 in used --------------
Conditions: Not seen in ASA before 8.0.5
Workaround: Not known at the moment.
Further description This is not related to CSCsy69368 but related to minor bug CSCta09453. A possible sequence that can lead to this behavior is: - configure snmp-server - clear whole configuration for snmp-server (clear configure snmp-server) - re-reconfigure snmp-server

SSH resource exhausted preventing further sessions , Fixed CSCsm68097

Symptom: Under a rare occurance, SSH sessions for management access can become locked preventing further SSH connections to be established to the ASA.
Conditions: ASA 8.0(2), 8.0(3) SSH enabled
Workaround: A reload will clear the hanged SSH sessions. -other types of connections still function (telnet,console) -downgrade to 7.x code Other Notes: Following best practices, its always advisable to only accept SSH from trusted hosts.

Fuzzing testbed, traceback in the javascript parser , Open CSCta06013

Symptom: ASA running 8.0.5 may reload in Unicorn Proxy Thread.
Conditions: ASA running 8.0.5 code.
Workaround: none.
Further Problem Description: Issue seems to be related to javascript parser.

"possible channel leak" when loading with large configuration , Open CSCte55194

Symptom: CLI access to the ASA may hang with one of the following messages when processing an extremely large configuration: release: possible channel leak in fover_parse release: possible channel leak in pix_flash_config_thread. release: possible channel leak in ssh
Workaround: Downgrade to 8.2(1)

Traceback when using packet tracer , Terminated CSCsi21609

Condition: PIX or ASA reloads when injecting a packet via the packet-tracer tool Symptom: PIX or ASA running 7.2.2 or later.
Workaround: Don't use the packet tracer.

Traceback:: IKE daemon - Traversing MIB Logged-in User Database , Fixed CSCsz55540

Symptom: ASA crashes in Dispath Unit or Checkheaps or Ike daemon
Conditions: Has been seen on 7.2.4.31 Involve large use of vpn clients or l2tp over ipsec clients SNMP monitoring of the session manager MIB such as session_count = "1.3.6.1.4.1.9.9.392.1.3.3.0"
Workaround: This issue is not occurring on the latest 8.0 release.
Further Problem Description:

Traceback in Thread Name: Dispatch Unit with inspect h323 , Fixed CSCsk96804

Symptom: PIX/ASA may crash while running 7.2(3) on Thread Name Dispatch Unit
Conditions: - Software versions 7.2(3.12) and 8.0(3) H.323 inspection Lot of H323 setup requests.
Workaround: None available.

Assert in access_list.c when viewing v4 ACL with v6 addresses configured , Open CSCte41930

Symptom: When trying to view an IPv4 access-list that contains IPv6 addresses the ASA crashes and issues the following message: assertion "hp->ip_version == IP_VERSION_4" failed: file "access_list.c", line 6249
Conditions: This is technically a misconfiguration. The misconfiguration is accomplished by nesting object groups within each other

object-group network v4-address network-object 10.10.10.0 255.255.255.252 ! object-group network v6-address network-object fd70:415f:59b0:946b::/64 ! object-group network v4-v6-group group-object v4-address group-object v6-address access-list crash permit tcp object-group v4-v6-group any eq ftp

This configuration will be accepted by the command line without any errors, but once write mem or show run is issued the device will crash.
Workaround: This is due to a misconfiguration. Do not configure IPv6 addresses in IPv4 access-lists.

ASA may reload with traceback in thread name CTM message handler , Terminated CSCtc32031

Symptom: ASA may reload with traceback in thread name CTM Message Handler.
Conditions: ASA running 8.x code.
Workaround: None

Unable to SSH over remote access VPN (telnet, asdm working) , Fixed CSCsy57872

Symptom: Unable to SSH over a remote access vpn connection. Connection attempt fails immediately (no username or password).
Conditions: Problem found on 8.0.4(21). The interface is pingable. You can telnet and ASDM to the interface. You can also SSH through the ASA to other internal routers. You can also SSH to the ASA interface sitting internal to the network. The only part that is not working is SSH to the interface on the ASA itself over the VPN.
Workaround: unapply the SSH command and reapply: no ssh ssh

, Fixed CSCsx64741

Symptom: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp.
Conditions: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp.
Workaround: remove rate limiting (police) from configuration
Further Problem Description:

watchdog failure in sqlnet inspection engine , Fixed CSCsr06900

Symptom: A PIX or ASA firewall running 8.0.x code may crash and reload citing the Dispatch Unit thread as the crashing thread.
Conditions: This occurs on versions of ASA and PIX firewall code prior to 8.0.3.25.
Workaround: None at this time.

threat-detection not releasing cached memory after being disabled , Fixed CSCsm21719

Symptom: After disabling Threat-detection, it is still caching a large amount of RAM which is not freed back to the system.
Conditions: Threat-detection needs to be enabled, and then disabled. Typically, the default 'basic-threat' and 'statistics access-list' would not cause this condition.
Workaround: Disable threat-detection, and then reboot the appliance to reclaim the memory.
Further Problem Description: The output of "show memory detail" will show most of the memory is consumed by the 698880 size fragment. Investigating the consumer of this fragment size will reveal chunk_create as the largest consumer. Then the 'show chunkstat' output will show that "SNP Host statistics chunk" is consuming most of the memory.

Traceback on secondary with SIP connection replication , Fixed CSCtd43241

Symptom: ASA may reload with the traceback in the thread Dispatch Unit.
Conditions: The traceback happens upon SIP connection replication in a rare corner case.
Workaround: none
Further Problem Description: Issue is similar to CSCtc30413 in a sense that it has the same traceback, however the underlying logic is differen, as the root cause here is SIP connection replication.

Traceback in ci/console after sh crypto ipsec sa , Fixed CSCsz01314

Symptom: ASA crashes in ci/console with a vector page fault
Conditions: Lots's of phase II are present and phase I and Phase II got rekeyed 'show crypto ipsec sa' has been issued
Workaround: none. Do not use that command
Further Problem Description:

Traceback in Thread Name: Dispatch Unit with ESMTP Inspect enabled , Fixed CSCse47150

Symptom: Traceback in PIX/ASA 7.2.1
Conditions: When processing segmented SMTP/ESMTP packets.
Workaround: Disable inspect ESMTP upgrade past 7.2.1.17

, Fixed CSCsu45313

Symptom: - The ASA crashes after entering the command "show capture"
Conditions: - ASA 5580 running 8.1(1)5 - Capturing packets on a busy interface using circular buffer
Workaround: - Avoid using the "show capture" command for packet capture with circular-buffer