Adaptive Security Appliance Hot Issues from Cisco TAC

Duplicate ASP crypto table entry causes firewall to not encrypt traffic , Open CSCtb53186

Symptom: When testing 100 site to site vpn connections on an ASA running 8.2.1 one or two tunnels would not encrypt traffic. The connections were established and dropped multiple times before seeing this issue.
Conditions: "sho asp table vpn-context detail " shows duplicate crypto table entries. Two current and one left over from previous connection. This creates the problem of the traffic not being encrypted.
Workaround: Reload ASA.

Traceback in Thread Name: Unicorn Admin Handler , Fixed CSCta02170

Symptom: ASA reloads due to block corruption.
Conditions: ASA5550 or ASA with 4GE I/O module running 8.2.1 code and using interfaces in slot 0 and slot 1.
Workaround: Do not use interfaces in slot 1 since this triggers the problem.

Traceback in Thread Name: PIX Garbage Collector , Fixed CSCtb42871

Symptom: ASA 8.2.1 crashes in Thread Name: PIX Garbage Collector
Conditions: software 8.2.1
Workaround: none
Further Problem Description:

ASA traceback in Thread Name: Dispatch Unit, Abort: Assert Failure , Fixed CSCta55072

Symptom: ASA intermittent crash at Thread Name: Dispatch Unit, Abort: Assert Failure
Conditions: Running 8.2.1version. The ASA5505 box has a basic license with Inside hosts limit. When the total number of inside hosts exceeds the limit, it may trigger the crash. If there is no limit for inside hosts with the license, the crash won't be triggered.
Workaround: No workaround
Further Problem Description:

ASA fails to redirect traffic to WCCP cache server , Fixed CSCsy82260

At certain occasions after a failure the ASA fails to redirect traffic on TCP ports 80 and 443 to the WCCP cache servers. This problem occurs at any time during the day. We have observed that the problem always happens after a failure in the network that causes the ASA to momentarily lose communicate with the WCCP servers. This can be a failure initiated on the WCCP servers themselves or any connection devices between the ASA and the WCCP servers. We have two (2) WCCP cache servers, if any one of these servers is brought down for maintenance, we experience the problem as well. Traffic will not be redirected to the remaining online server. The 1st thing we see on the ASA is log messages indicating communication with web-cache server has been lost, as shown below: Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/90 lost Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/91 lost Mar 06 2009 08:52:03: %ASA-1-332004: Web Cache 172.20.143.11/92 lost The IP addresses for our web-cache servers are 172.20.143.11 and 172.20.143.12. When the connection failure caused by what ever reason (outside of the ASA itself) is restore, no traffic is redirected by the ASA. The show WCCP commands show everything is normal, it is able to talk with the web-cache servers. The symptoms that were observed in troubleshooting were that "show wccp 90 detail" on the ASA displayed redirected packet counters that were not incrementing. All other WCCP diagnostics appeared normal (Here I Am & I See You heartbeat packets were incrementing) on both the ASAs and the Blue Coat proxies, and "show wccp 90" on the ASA indicated 1 WCCP router (the ASA) and 2 WCCP caches (the Blue Coat proxies), as expected. User traffic will be reaching the internet directly without redirection. We did not notice this problem until after upgrading the ASA code to 8.1.2(11) code on 02/02/2009. The previous code were running prior to that was 8.1.2(7). The problem could have been there on the previous code but we just did not notice it until we were running 8.1.2(11). Please note we do not see this problem at all when the ASA itself fails or is reloaded. It always occurs when there is any other failure which causes web-cache communication to be lost Work around The steps outlined below show how we resolve this issue when it happens. 1. Disable WCCP on Blue Coat proxy 1 and proxy 2. 2. Remove the WCCP commands on the ASA: no wccp interface inside 90 redirect in no wccp 90 redirect-list 101 password Bluecoat no wccp 91 redirect-list 133 password Bluecoat no wccp 92 redirect-list 134 password Bluecoat no wccp 93 redirect-list 135 password Bluecoat no wccp 94 redirect-list 136 password Bluecoat no wccp 95 redirect-list 137 password Bluecoat no wccp 96 redirect-list 138 password Bluecoat no wccp 97 redirect-list 139 password Bluecoat 3. Reconfigure WCCP commands on the ASA: wccp 90 redirect-list 101 password Bluecoat wccp 91 redirect-list 133 password Bluecoat wccp 92 redirect-list 134 password Bluecoat wccp 93 redirect-list 135 password Bluecoat wccp 94 redirect-list 136 password Bluecoat wccp 95 redirect-list 137 password Bluecoat wccp 96 redirect-list 138 password Bluecoat wccp 97 redirect-list 139 password Bluecoat wccp interface inside 90 redirect in 4. Enable WCCP on Blue Coat proxy 1 and proxy 2. 5. Observe that Here I Am & I See You heartbeat packets were incrementing on both the ASAs and the Blue Coat proxies. 6. Observe that redirected packet counters were incrementing on the ASA. 7. Confirm from our PCs that web traffic was being redirected from the ASA to the Blue Coat proxies for authentication and filtering.

Traceback when editing object-group , Fixed CSCsy71401

Symptom: The ASA will crash if changes are made to an object group. The crash thread will be whatever process was used for connecting to the ASA (ssh, telnet, ci console, etc). The crash dump will indicate that CPU and Memory were at 99% utilization.
Conditions: Object groups must be used by the ASA in the ACL.
Workaround: None.

Page fault in IP thread under high traffic load , Fixed CSCsr25122

Symptom: Tracebacks with Thread name : IP Thread
Conditions: Usually when the device is under heavy load with both through and to-the-box traffic. Note: The problem is present only on ASA 8.0 and later releases.
Workaround: none at this time
Further Problem Description: Tracebacks on active failover PIX with Thread name : IP Thread Also could occur on standalone PIX.

Traceback in scheduler , Fixed CSCsk85428

Symptom: Traceback in scheduler. This traceback could happen in any thread.
Conditions: Cisco ASA/PIX running some versions of 7.0, 7.1, and 7.2. This condition is a very rare timing condition . It is not induced or affected by any configuration on the box or any external stimulus. It could happen in any release after the following releases: 007.000(006.037) 007.001(002.058) 007.002(002.027)
Workaround: None

Netflow does not make use of management-access feature , Fixed CSCta90855

Symptom: Netflow does not interoperate with the "management-access ..." feature. This prevents a user from configuring Netflow to source flow records from an internal interface, and then have the traffic sent encrypted over a VPN tunnel on an external interface.
Conditions: - Netflow configured - management-access configured
Workaround: Configure the crypto match ACL to include the outside interface IP of the security appliance (as the source) and the Netflow collector as the destination - and on the peer endpoint add the reverse match criteria. Also, specify that the collector resides out the outside interface. This will allow the Netflow traffic to be encrypted when sourced from the outside interface's IP as a workaround.

CSC does not recover by itself from auto update corruption , Open CSCtc37947

Symptom: Some signatures may fail to update even though a newer version of signatures is available in TrendMicro repository.
Conditions: Sporadic, during normal operation.
Workaround: From root account on CSC remove the temporary files created for auto update. Restart the services.
Further Problem Description:

DTLS Traceback in TLS fragment handling , Fixed CSCsl37063

Symptom: ASA crashes in DTLS fragment handling code.
Conditions: 1. SVC and DTLS is used. 2. Lossy and/or high-latency network causing out-of-order packets.
Workaround: Disable DTLS

ASDM logging freezes when a long URL is accessed , Fixed CSCtb92911

Symptom: ASDM real-time log viewer freezes occasionally.
Conditions: ASA is running 8.2.1 version and is configured with [URL-Filtering+HTTP inspection] or ['user-defined' HTTP inspection policy].
Workaround: The problem seems to be triggered by the syslogs 304001-304005 which display the URLs accessed. By disabling logging these logs, the problem can be mitigated. ASA(config)#no logging message 304001 ASA(config)#no logging message 304002 ASA(config)#no logging message 304003 ASA(config)#no logging message 304004 ASA(config)#no logging message 304005

NetFlow references IDB Interface Value instead of SNMP ifIndex , Fixed CSCtb63825

Symptom: The InputInt and OutputInt fields in a Data FlowSet do not map to the SNMP ifIndex as expected.
Conditions: Netflow configured on an ASA.
Workaround: No known workaround.
Further Problem Description: The InputInt and OutputInt fields of the netflow Data FlowSets should be the same as the ifIndex referenced by SNMP and that can be seen in the output of show int detailed. However these fields incorrectly reference the value used internally by the output of show idb

ENH: Netflow v5 real time traffic statistics support , Open CSCsz99354

Symptom: This is a feature request only. This feature request is for the ASA to provide NetFlow v5 traffic analysis exports at periodic intervals - just like IOS routers - so that users may view real-time traffic information via NetFlow.
Workaround: Currently the ASA only provides a NetFlow v9 support as a method for binary syslogging. For network traffic functions the flow tear-down event (ID 263) contains an "total bytes transferred" (octets) field. It is possible to use this to determine historic network traffic utilization.

access-list logging prints 106100 syslog always at informational level , Fixed CSCsz73284

Symptom: Logging message 106100 always prints at level informational. As a result, logging message 106100 is not printed when logging level is set to lower than informational for both access-list and logging configuration
Conditions: Syslog level set to lower than informational (level 6) for both access-list and logging
Workaround: configure the following: logging list mylist level notifications logging list mylist message 106100 logging trap mylist This will allow only notification level syslogs and 106100 to be logged.

Traceback in Thread Name: Dispatch Unit with inspect h323 , Fixed CSCsk96804

Symptom: PIX/ASA may crash while running 7.2(3) on Thread Name Dispatch Unit
Conditions: - Software versions 7.2(3.12) and 8.0(3) H.323 inspection Lot of H323 setup requests.
Workaround: None available.

SQLNet inspection closes flow , Fixed CSCsu44598

Symptom: SQLNet connection is closed by SQLNet inspection in certain cases.
Conditions: Issue is seen with ASA 8.0(4) with SQLNet inspection enabled and if there are multiple TNS frames in one TCP segment. The following log messages are seen on the ASA: %ASA-6-302014: Teardown TCP connection...Flow closed by inspection When enabling 'debug sqlnet 255 ', you may also see the following debug message: SQLNet: multiple TNS frames in one packet!
Workarounds: 1) Disable SQLNet inspection 2) Downgrade to a version prior to 8.0.3.33
Further Problem Description: This bug was introduced due to the integration of CSCsr27940 in version 8.0.3.33 and 7.2.4.15. Versions prior to these release should not be affected.

RDP SSO doesn't send pass , Fixed CSCtc25115

Symptom: RDP SSO bookmark doesn't work in a way that ASA only sends username, but not the password when bookmark groups are assign via DAP and last group on the list doesn't contain any RDP bookmarks.
Conditions: - bookmark groups assigned via DAP - last group doesn't contain RDP link
Workaround: - change the order of bookmark groups in DAP or insert an RDP link into last group on the list
Further Problem Description:

the procedure of copying a file from ramfs to flash should be atomic , Fixed CSCsy77628

Symptom: "%ERROR: copying 'disk0:/csco_config/97/customization/index.ini' to a temporary ramfs file failed" or similar message
Conditions: During WebVPN customization configuration (while pushing config files)
Workaround: Issue "revert webvpn all" to clear all WebVPN config and reconfigure from scratch.
Further Problem Description: n/a

SQLNET query via inspection cause communication errors , Fixed CSCta03382

Symptom: With SQLNET inspection Oracle database connection drops errors with -ORA-12569 TNS packet checksum failure -ORA-03106 fatal two-task communication protocol error if a specific query sent. Also, the following syslog may be printed: %ASA-4-507003: tcp flow from dmz:172.20.1.1/65000 to inside:172.16.1.1/1521 terminated by inspection engine, reason - proxy inspector drop reset.
Conditions: ASA with SQLNET inspection
Workaround: Disabling SQLNET inspection is an option as long as they are not doing NAT.

Cannot open DfltCustomization profile after downgrade from 8.2(1) to 8.0 , Fixed CSCta94184

After downgrading the ASA 5520 from 8.2(1) to 8.0.4.38, the following error is seen on the console when the ASA boots up: ..%ERROR: Wrong customization object 'DfltCustomization'(csco_config.lua:499: cs co_config.lua:367: Unexpected configuration tag 'secondary-username-prompt-text' (line=646,column=11,position=19416) Trying to edit the 'DfltCustomization' profile fails in ASDM and displays the following: Cannot open Customization profile... There is no work around for this.

Sharepoint: WebFolders Fails to Copy Files , Fixed CSCtd00457

Symptom: When attempting to copy files via webfolders to desktop via webvpn, files are generated on the desktop with the correct names, however these files are empty. This is seen when copying multiple files simultaneously
Conditions: This is seen in ASA 8.2.1 when copying multiple files from webfolder
Workaround: copying individual file seems to work
Further Problem Description:

CUPC on ASA fails to transmit port 50001 due to reassembly limit of 8192 , Fixed CSCsq04749

Symptom: CUPC client communication fails through the PIX/ASA due to tcp proxy 8k reassembly limit in SIP inspection.
Conditions: SIP inspection enabled
Workaround: Disable sip inspection if not doing nat and permit appropriate ports. If using nat there are no available work arounds at this time.
Further Problem Description: N/A

.NET framework is not working with non-web application/smart-tunnel-list , Open CSCsv29942

Symptom: Specific homegrown .NET framework application is not working with webvpn- smartunnel: config for non-web applications (smart-tunnel-list) .
Conditions: ASA running 8.0.3.9 or any 8.x code Homegrown .NET framework application is used, user start the application from the start menu. Webvpn-smartunnel: config for non-web applications (smart-tunnel-list) is configured Auto-start Smart Tunnels is configured in the group policy using "exe" .exe and app.exe
Workaround: The use of the Anyconnect client should be used to access .NET framework applications.

SSH resource exhausted preventing further sessions , Fixed CSCsm68097

Symptom: Under a rare occurance, SSH sessions for management access can become locked preventing further SSH connections to be established to the ASA.
Conditions: ASA 8.0(2), 8.0(3) SSH enabled
Workaround: A reload will clear the hanged SSH sessions. -other types of connections still function (telnet,console) -downgrade to 7.x code Other Notes: Following best practices, its always advisable to only accept SSH from trusted hosts.

Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI , Fixed CSCsh48962

Symptom: - Remote Access clients can successfully connect but not access resources on the internal network - Packets destined for the remote side of an L2L tunnel are not being encrypted - Traffic is not encrypted with correct SPI
Conditions: - "show crypto ipsec sa" shows decrypts, but no encrypts - "show asp table classify crypto" show multiple entries for traffic - vpn-context from "show asp table vpn-context det" that matches asp table entry with hitcounts increasing has a SPI that isn't valid (it isn't found in "show crypto ipsec sa") - vpn-context with valid SPI isn't used - Packet capture on outside interface shows encrypted packets going to remote peer
Workaround: - Reload the PIX/ASA - Fixed by change for CSCsh66576. Refer to that bug number for availability.

"copying ... to a temporary ramfs file failed" during webvpn config , CSCsy78725

ASA: Memory leak when secure desktop is enabled , Open CSCsz92808

Symptom: ASA leaks memory when secure desktop is enabled.
Conditions: ASA has secure desktop enabled.
Workaround: Reload the device.

PP:ASA fails to send Music on Hold (MOH) stream to secure phone , Open CSCso81816

Symptom: When a non-secure phone puts a secure phone on hold, the secure phone does not hear the Music On Hold(MOH). MOH works if the secure phone puts the non-secure phone on Hold. This issue only affects secure phones that are put on hold. That is because the RTP media stream from the CallManager to the ASA Media Termination Address is dropped. Looking at the syslogs you can see the RTP MOH stream being denied by the ASA. The source IP address of the stream is the CallManager IP. The destination IP address of the stream is the Media Termination Address (MTA) on the ASA. %ASA-7-710005: UDP request discarded from 10.3.2.2/24588 to inside:192.168.2.3/17492 The output of "show asp drop" shows the field "Flow is denied by a configured rule" will increase its counters. An ASP drop captures verifies that the MOH stream is being dropped by the ASA. Flow is denied by configured rule (acl-drop) 978876
Condition: The CallManager needs to be configured to send an RTP MOH stream to the secure phone after hold is pressed.
Workaround: A "hold tone" can be used in place of a MOH. To accomplish this, create a new Media Resource Group and add the MOH Server to that group. Do not assign the MRG to any of the phones. Now, a hold tone will be played (a beep every few seconds) a secure phone is placed on hold. The idea of workaround is the disable access to MoH resource for phones on the outside so that when a call is placed on hold, CUCM sends a SKINNY message to play tone on hold instead of SKINNY message with IP address/port number for MoH server.

Traceback in TCP Normalizer . , Fixed CSCsh12711

Multiple vulnerabilities are found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series Adaptive Security Appliances. They affect the following: * Enhanced inspection of Malformed Hypertext Transfer Protocol (HTTP) traffic * Inspection of malformed Session Initiation Protocol (SIP) packets * Inspection of a stream of malformed Transmission Control Protocol (TCP) packets * Privilege escalation Vulnerabilities are independent of each other. If a vulnerability affects a device, it does not necessarily mean that the device is affected by all of them. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml

SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE , Fixed CSCsh91747

Symptom: 1)SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE 2)SSL lib error. Function: SSL3_SETUP_BUFFERS Reason: malloc failure and ASA will not response to any SSL VPN or ASDM connection problem
Conditions: -Continuous running through many Web VPN or ASDM connections for couple days.
Workaround: 1)Reload the ASA 2)Re-enable the WebVPN.

Automatically added AAA command break ASA5505EasyVPN client after reboot , Fixed CSCsx59403

Symptom: After a reboot of the ASA5505 firewall, the Easy VPN Remote tunnel does not come up.
Conditions: ASA5505 running 8.0.4, 8.0.4.16, 8.0.4.20, 8.0.4.22 or 8.0.4.23, and is configured as an Easy VPN hardware client (also called "Easy VPN Remote"). The defect only occurs if the interface used by VPN Remote is configured with a dynamic IP address (either DHCP or PPoE). interface Vlan2 nameif outside security-level 0 ip address dhcp setroute After the reboot the following commands are added to the config: aaa authentication listener http inside port www redirect aaa authentication listener https inside port 1443 redirect And the following command is removed from the config: vpnclient enable
Workaround: After each reboot, remove the Automatically added AAA commands below in configuration mode:: no aaa authentication listener http inside port www redirect no aaa authentication listener https inside port 1443 redirect Then issue the vpnclient enable command in configuration mode. Also, we found removing the command HTTP server enable solves the problem, or just remove HTTP x.x.x.x y.y.y.y interface outside solves the problem.

Failover interface is not listed in "ifTable" MIB , Fixed CSCsm55947

Symptom: The failover interface is missing from the snmpwalk of the ifTable.
Conditions: Failover and SNMP is configured on the firewall.
Workaround: None

Problem with cp conn's c_ref_cnt while release cp_flow in tcp_proxy_pto , Fixed CSCtb61326

Symptom: ASA may crash if snp_flow_free() is called within proxyi_send_rst() which is called in tcp_proxy_pto().
Conditions: The test is related to tcp proxy. skinny inspection is configured to trigger tcp proxy. Garbage collection routine tcp_proxy_pto() is triggered. If snp_flow_free() is called within proxyi_send_rst() which is called in tcp_proxy_pto(), ASA may crash due to the incorrect c_ref_cnt logic.
Workaround: N/A
Further Problem Description: The problem was found in unit tests while verifying the fix of CSCtb42871. Need to further check the c_ref_cnt logic in cp conn release reference routine.

ASA5580: no buffer counter may increment for no apparent reason , Fixed CSCsv19080

Symptom: ASA5580 "show interface" may show no buffer counter incrementing steadily when the load through the box is fairly low.
Conditions: This was first observed in an ASA5580 running 8.1.2 - tranparent mode
Workaround: None
Further Problem Description: a. cpu (less than 5%) b. type of traffic (http, e-mail, ftp) c. amount of traffic (total conn through the box was around 5K) b. traffic was observed between t0/7 and t0/8 interfaces on the same adapter.

Traceback in thread name Dispatch Unit , Fixed CSCsx72410

Symptom: Cisco ASA may crash in thread name Dispatch Unit in very rare occasions when using AnyConnect.
Workaround: Upgrade to version with fix.

'error contacting host' accessing CIFS shares, occurs after 24 days , Fixed CSCsu77535

Symptom: when Customer browse CIFS links through clientless webvpn or clicking the link for 'browse the entire network' may get the following message: 'Error Contacting Host' The netfs_mount fails to create ramfs vol. This is a different issue from CSCsl94183. This issue has to do with an unsigned minus signed calculation of the system uptime in milliseconds. Once the box has been up for ~24 days all clientless smb mounts will fail to mount with this error.
Conditions: This issue usually appears when the ASA has been up for around 24 days.
Workaround: Reload the ASA every 20 days or so. Use failover to minimize impact.

Additional WebVPN licenses are being used during every auth challenge , Fixed CSCsr46571

Additional WebVPN licenses are being used during every auth challenge such as Radius proxy to SDI where the token is in new PIN mode. The additional licenses are NOT released when the Webvpn client is disconnected. This issue does not occur in the released ASA v8.0.3 and is fixed in v8.0.3.34 or later.

Traceback in thread: Dispatch Unit (Old pc 0x0021eae7 ebp 0x01887690) , Fixed CSCsk48199

Symptom: A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028 has been assigned to this vulnerability. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080123-asa.shtml
Workaround: Disable the TTL decrement feature using the "no set connection decrement-ttl" command in class configuration mode. ASA(config)# policy-map localpolicy1 ASA(config-pmap)# class local_server ASA(config-pmap-c)# no set connection decrement-ttl ASA(config-pmap-c)# exit For additional information on identifying and mitigating TTL based attacks, please refer to the Cisco Applied Intelligence White Paper "TTL Expiry Attack Identification and Mitigation", available at: http://cisco.com/web/about/security/intelligence/ttl-expiry.html

ASA tracebacks in checkheaps , Open CSCtc59391

Symptom: ASA tracebacks in checkheaps
Conditions: unknown
Workaround: none at this time
Further Problem Description: ASA crashed couple of times with tracebacks seen with checkheaps. The following syslogs are seen immediately before the crash. 08:55:15 Local7.Debug 10.1.1.2 Oct 13 2009 08:54:52: %ASA-7-711002: Task ran for 24212 msec, Process = Checkheaps, PC = 928fd85, Traceback = 2009-10-13 08:55:15 Local7.Debug 10.1.1.2 Oct 13 2009 08:54:52: %ASA-7-711002: Task ran for 24212 msec, Process = Checkheaps, PC = 928fd85, Traceback = 0x0928FD85 0x09290CE0 0x08952417 0x08978450 0x0805D725 0x0805DF4F 0x08A23D7C 0xDD7A86D5 0xDD58D1E0 0x092792EA 0x0927A992 0x0927F121 0x0929B636 0x08062413

ASA Some configuration changes cause ACL recompile resulting in high CPU , Fixed CSCsm39781

Symptom: Adding the name-if command to a sub-interface may cause a sustained cpu spike which can be network impacting. Also seen when the security level is changed for new or existing interfaces.
Conditions: This appears to occur when there are large ACLs present.
Workaround: None known at this time other than avoiding the configuration that triggers the issue. If failover system is present, a forced failover might help in order for the affected device to handle the high CPU without having its load due to the working conditions and traffic flow.

ASA traceback in Thread Name: Checkheaps , Fixed CSCtb04935

Symptom: ASA traceback in Thread Name: Checkheaps This traceback occurs when free memory blocks on the ASA are combined into a single free block greater than 2GB in size. Checkheaps incorrectly flags this as a memory corruption.
Conditions: An ASA device which has more than 2GB of memory installed.
Workaround: None.

Traceback in Remote Access Authentication Code , Fixed CSCso69942

Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: Erroneous SIP Processing Vulnerabilities IPSec Client Authentication Processing Vulnerability SSL VPN Memory Leak Vulnerability URI Processing Error Vulnerability in SSL VPNs Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml.

H323: inspection on video call may cause traceback within 5 min , Fixed CSCsm57920

Symptom: H323 inspection may cause the firewall to crash in Thread Name: Dispatch Unit
Conditions: - Software versions 7.2(3.12) and 8.0(3) - Hight volume of voice traffic - Inspections enabled: "inspect h323 h225" and "inspect h323 ras"
Workaround: Remove inspection if possible.
Further Problem Description: Polycomm VSX 7400S were used no both ends of the video call.

TCP connections getting stuck in FINWAIT1 state , Fixed CSCsv02768

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities. Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.

Memory leak in Webvpn related to CIFS , Fixed CSCsy88238

Symptom: ASA running WebVPN with a CIFS mount may see a memory leak.
Conditions: ASA 8.0.4 running webvpn with a CIFS mount
Workaround: Reload the box during off hours.

ASA tracebacks in Thread Name: vPif_stats_cleaner , Fixed CSCtb38344

Symptom: ASA tracebacks in Thread Name: vPif_stats_cleaner
Conditions: None.
Workaround: None at this time.

Traceback in Thread Name: Dispatch Unit with ESMTP Inspect enabled , Fixed CSCse47150

Symptom: Traceback in PIX/ASA 7.2.1
Conditions: When processing segmented SMTP/ESMTP packets.
Workaround: Disable inspect ESMTP upgrade past 7.2.1.17

Traceback with panic message: Lock (snp_conn_t) is held for a long time , Fixed CSCtc52953

Symptom: Traceback with panic message below: Message #75 : Panic: DATAPATH-3-539 - Message #76 : spin_lock_fair_mode_enqueue: Lock (snp_conn_t) is held for a long time, owner: CP Processing, requestor: DATAPATH-3-539
Conditions: Any secondary connection can cause this problem.
Workaround: No workaround.
Further Problem Description: None.

WebVPN: Using Mac 10.6 with Smart Tunnels crashes browser in 8.0.x , Terminated CSCtc05793

Symptom: Mac 10.6 using Smart Tunnels will crash broswer with 8.0 release code
Conditions: Mac 10.6 OSX with Safari or Firefox will crash the browser against 8.0. ASA image while trying to use Smart Tunnels.
Workaround: NA
Further Problem Description:

Active unit traceback in accept/http when disabling DHCP relay , Fixed CSCse22853

Symptom: If DHCP relay server and DHCP relay are disabled in rapid succession with no dhcprelay server and no dhcpr enable commands, then the Active unit in a failover setup will traceback in thread Name: accept/http (Old pc 0x00721c75 ebp 0x07564924)
Conditions: Cisco PIX/ASA running release 7.0.5. Can be created using ASDM, or the CLI.
Workaround: Do not disable these functions in rapid succession.

Traceback in Thread Name: DATAPATH-2-567 , Fixed CSCta18361

Symptom: ASA may reload with traceback in Thread Name: DATAPATH-2-567
Conditions: This crash was seen on an ASA 5540 running 8.1.2.13
Workaround: None at this time.

ASA traceback in Thread Name: Unicorn Proxy Thread , Fixed CSCta06294

Symptom: The ASA may crash and reload with a traceback in Thread Name: Unicorn Proxy Thread
Conditions: Users are connected to the ASA via clientless WebVPN.
Workaround: none

Traceback in thread name IP Thread , CSCsk36703

Symptom: A PIX or ASA firewall appliance may crash and reload without warning. The firewall will indicate the thread involved in the crash is Thread Name: IP Thread.
Conditions: PIX or ASA firewall must be running code version 8.0.2 or later.
Workaround: Unknown at this time

ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 may break webvpn or ASDM , Fixed CSCsq19457

Symptom: Webvpn or http access stops working after modifying the webpn or http server port. The following error may appear during boot up OR when modify the webvpn or http port parameters. It may also occur when enabling/disabling webvpn or the http server: ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists
Conditions: The following error may appear during boot up OR when modify the webvpn or http port parameters. It may also occur when enabling/disabling webvpn or the http server: ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists This error may occur during bootup if both webvpn and http server are enabled on the same ports.
Workaround: If webvpn access fails after modifying the http server port or webpn port then disabling/re-enabling webpn should fix the problem. For example: no webvpn enable outside webvpn enable outside If ASDM access fails after modify the http server port or the webvpn port then disabling/re-enabling the http server should fix the problem. For example: no http server enable port xxxx http server enable port xxxx
Further Problem Description:

Unable to SSH over remote access VPN (telnet, asdm working) , Fixed CSCsy57872

Symptom: Unable to SSH over a remote access vpn connection. Connection attempt fails immediately (no username or password).
Conditions: Problem found on 8.0.4(21). The interface is pingable. You can telnet and ASDM to the interface. You can also SSH through the ASA to other internal routers. You can also SSH to the ASA interface sitting internal to the network. The only part that is not working is SSH to the interface on the ASA itself over the VPN.
Workaround: unapply the SSH command and reapply: no ssh ssh

Traceback at thread name PIX Garbage Collector , Fixed CSCsv52169

Symptom: ASA or Pix may reboot with traceback at Thread Name: PIX Garbage Collector
Conditions: The specific conditions for this crash are unknown.
Workaround: There is no workaround.
Further Problem Description: This crash happens intermittently with no apparent root cause.

ASA crash in thread IPsec message handler , Open CSCtc98175

Symptom: Under rare circumstances, the ASA may reboot.
Conditions: Unknown
Workaround: None
Further Problem Description: None

Watchdog traceback in failover lu_rx thread during bulk sync , Terminated CSCsw98373

Symptom: Active unit in a Failover pair may crash in the lu_rx thread, with a Watchdog failure.
Conditions: ASA must be in failover.
Workaround: 1. Disable 'logging flash-bufferwrap, or 2. Upgrade to 8.3.1 or higher; OS enhancements resolve the issue.

CSC: File Blocking - Executables also blocks some CSS, SWF, and JS fil , Open CSCtb90028

Symptom: Executable file blocking will block some SWF, CSS, and javascript files.
Conditions: CSC module running 6.3.1172.0
Workaround: Disable 'Executable' and instead add .exe and .dll files to the list of blocked extensions on that same page.

Page fault: Address not mapped with telnet traffic. eip and cr2 = 0 , Fixed CSCsx64741

Symptom: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp.
Conditions: system crashed sometimes when rate limiter is configured and packets in the flow contains multiple different value of dscp.
Workaround: remove rate limiting (police) from configuration
Further Problem Description:

IPSec Pass-through breaks after enabling RA VPN on ASA , Fixed CSCso38702

Symptom: VPN pass-through connection through the ASA breaks when you enable VPN RA on the ASA.
Conditions: VPN RA is enabled.
Workaround: 1) Disable VPN RA; or 2) Disable then re-enable NAT-T. 3) If possible switch VPN client to use IPsec over TCP for RA (enable "crypto isakmp ipsec-over-tcp port 10000" on the VPN server)

ASA5580 crashed, thread: DATAPATH w/ asp-drop circular-buffer capture , Fixed CSCtb86463

Symptom: ASA 5580 experienced a crash with thread name: DATAPATH when the customer entered the following command: capture DROP-AAA type asp-drop all circular-buffer match udp any any eq 1813
Conditions: On ASA 5580 running software version 8.1(2.19). Also seen on software version 8.2(1).
Workaround: None

ASA 5580 traceback in failover with DATAPATH-3-555 thread , Fixed CSCsz54501

Symptom: ASA 5580 with 8.1.2 crash with thread DATAPATH-3-555. Both asa in failover crashes.
Conditions: ASA 5580 in failover pair
Workaround: none

IKE FSM for AM responder gets into bad state + error loop , Fixed CSCsq91271

Symptom: IKE FSM in error loop for a deleted user (not in the config anymore), no actual IKE exchange taking place. [IKEv1]: Group = group, Username = username, IP = 10.1.1.1, Reaper overriding refCnt [0] and tunnelCnt [0] -- deleting SA! [IKEv1]: Group = group, Username = username, IP = 10.1.1.1, SA lock refCnt = 0, bitmask = 00000080, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0 [IKEv1 DEBUG]: Group = group, Username = username, IP = 10.1.1.1, IKE AM Responder FSM error history (struct &0x4e41b20) , : NullState, EV_RCV_DELETE-->NullState, NullEvent-->NullState, EV_START_TM-->AM_STANDBY_REKEY, EV_START_TM-->AM_TM_INIT_XAUTH_V6H, EV_RESEND_MSG-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent [IKEv1]: fsmDriver returned error
Conditions: 7.2.4, cause unclear
Workaround: none (reboot would most likely solve the issue)
Further Problem Description: none so far

IKE receiver thread is stuck sleeping in udp_read , Open CSCtc81560

Symptom: After Phase 1 rekey, IKE Main Mode process gets stuck in MM_WAIT_MSG2. In fact we receive MSG2 however it does not reach the IKE thread internally. Conditions: Issue is being triggered during Phase 1 rekey, further conditions need to be identified. Workaround: Reload ASA appliance

access-list: Memory leak - acl_np_classify_add_full , Open CSCta22102

Symptom: memory leak on access_list_np:acl_np_classify_add_full
Conditions: none
Workaround: none

asa traceback in dispatch unit , Fixed CSCsr50655

Symptom: An ASA running code earlier than 8.0(4.5) may crash when threat-detection host statistics is activated
Conditions: When threat-detection host statistics is activated and the reverse flow is not set up due to error condition.
Workarounds: The workaround is to disable threat-detection host statistics using the command: no threat-detection statistics host no threat-detection scanning

ASA crashes in SIP inspection , Open CSCsv07396

Symptom: One ASA or both ASAs in an Active/Standby failover pair may reload unexpectedly. The "show crashinfo" output reports a "Watchdog failure".
Conditions: This has first been observed on two ASAs running software version 8.0(3)12. Other versions might be affected as well.
Workaround: None.

assert failure causes checkheaps to detect memory corrpution with AAA , Fixed CSCsu00534

Symptom: ASA/PIX may reload with traceback in thread name AAA
Conditions: ASA with AAA accounting configured ASA is in a low memory condition
Workaround: None at this time.

webvpn: 3 MB/day mem leak with 76288 byte frag on lightly used device , Fixed CSCsk77613

Conditions: ASA running software release 8.0 configured for webvpn. Symptom: Available free memory on the device decreases daily, with memory allocated to 76288 byte fragment size as seen in "show memory detail".
Workaround: None available.

Traceback: 8.0.4.29 with cTCP and failover , Fixed CSCsz12009

Symptom: ASA crashes running 8.0.4.29 with cTCP and failover.
Conditions: 1) Release 8.0.4.29 2) ASA configured as Active\Standby Failover. 3) IPSec-over-TCP is enabled.
Workaround: Revert or upgrade.

SIP: traceback in Thread Name: Dispatch Unit , Fixed CSCsk31007

Symptom: On PIX/ASA running version 7.2.3, using SIP inspection engine can cause traceback.
Conditions: Enabled SIP inspection engine.
Workaround: Disable SIP inspection engine.

Traceback with Thread 0 in thread group , Fixed CSCsq85304

Symptom: Getting a traceback and assertion(spin_lock_is_mine()) fails. The secondary firewall reboots every 2 min.
Conditions: Running 8.1.1 version
Workaround: None

sqlnet traffic causes traceback with inspection configured , Fixed CSCsw51809

Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml

Show capture generates traceback on ASA 5580 8.1 , Fixed CSCsu45313

Symptom: - The ASA crashes after entering the command "show capture"
Conditions: - ASA 5580 running 8.1(1)5 - Capturing packets on a busy interface using circular buffer
Workaround: - Avoid using the "show capture" command for packet capture with circular-buffer

threat-detection not releasing cached memory after being disabled , Fixed CSCsm21719

Symptom: After disabling Threat-detection, it is still caching a large amount of RAM which is not freed back to the system.
Conditions: Threat-detection needs to be enabled, and then disabled. Typically, the default 'basic-threat' and 'statistics access-list' would not cause this condition.
Workaround: Disable threat-detection, and then reboot the appliance to reclaim the memory.
Further Problem Description: The output of "show memory detail" will show most of the memory is consumed by the 698880 size fragment. Investigating the consumer of this fragment size will reveal chunk_create as the largest consumer. Then the 'show chunkstat' output will show that "SNP Host statistics chunk" is consuming most of the memory.

ASA bootloops with 24 or more VLANs in multimode , Fixed CSCtb07060

Symptom: When booting an ASA in multi-context mode with more than 24 VLAN interfaces configured the ASA loads up to the ciscoasa> prompt. However, it doesn't respond to any input entered, and about 2 seconds later prints "Rebooting..." and drops back to ROMMON or says in a boot loop until you break into ROMMON.
Conditions: ASA configured in multi-mode with 24 more more VLANs configured.
Workaround: Break into ROMMON and change the config register to ignore the startup configuration

rommon #1<confreg 0x41

After the device boots up copy the startup configuration to the running configuration

copy start run

Crash with SIP pinhole replication Thread Name: Dispatch Unit , Fixed CSCtc30413

Symptom: ASA may crash in Thread Name: Dispatch Unit (Old pc 0x08180224 ebp 0x1853d970) On active unit, SIP traffic creates pinholes with different xlate other than parent conns, which crash the standby box.
Conditions: SIP applications used via the ASA 8.0.4(39)
Workaround: Config a separate PAT pool only for SIP traffic.