seems like it is not on the list of resolved caveats... so you may have
to wait
no wonder it is sev1, a VERY popular design :-)
Revision:Version 8.4.3(8) -- 03/01/2012
Files:asa843-8-k8.bin, asa843-8-smp-k8.bin
Defects resolved since 8.4.3:
_CSCsv94848
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsv94848&Submit=Search>_
Warning message for, "igmp static-group" - affective should be effective
_CSCsz04730
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsz04730&Submit=Search>_
PIX/ASA: When route changes connections over IPSEC tunnel not torn down
_CSCtj45148
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtj45148&Submit=Search>_
ASA 8.3 upgrade traceback in thread pix_flash_config_thread
_CSCtj79795
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtj79795&Submit=Search>_
WebVPN:flv file within the Flowplayer object is not played over webvpn
_CSCtk97719
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtk97719&Submit=Search>_
WebVPN & ASDM doesn't work on Chrome with AES & 3DES ciphers
_CSCto34765
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCto34765&Submit=Search>_
ASA may traceback in Thread Name: DATAPATH-1-1235 (ipsecvpn-crypto)
_CSCto88412
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCto88412&Submit=Search>_
Radius Proxy to SDI - AnyConnect prompts for next PASSCODE but shouldn't
_CSCtq15197
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtq15197&Submit=Search>_
WebVPN:flv file within the Flowplayer object is not mangled correctly
_CSCtq88111
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtq88111&Submit=Search>_
objectgroup not cleared when used for pat pool
_CSCtr31788
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr31788&Submit=Search>_
Standby ASA generates syslog 210005 while transmitting data on FTP
_CSCtr38739
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr38739&Submit=Search>_
Link outage in Etherchannel causes interface down and failover
_CSCtr44930
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtr44930&Submit=Search>_
Nested obj does not work if contained in src and dst of ACL
_CSCts10661
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts10661&Submit=Search>_
SSM-4GE doesn't handle unicast packets after "hw-module module 1 reset"
_CSCts18480
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts18480&Submit=Search>_
ASA IKEv1 Traceback in vpnfol_thread_msg ike_fo_create_new_sa on Standby
_CSCts42362
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts42362&Submit=Search>_
Message from ASA is not displayed about password complexity requirements
_CSCts98806
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCts98806&Submit=Search>_
Standby ASA 5585 Reporting Service Card Failure on Signature Update
_CSCtt03492
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt03492&Submit=Search>_
ASA should not send data in the 3rd message of TCP 3WHS w/ LDAP over SSL
_CSCtt13455
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt13455&Submit=Search>_
netflow: template only send once with default timeout-rate
_CSCtt45090
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt45090&Submit=Search>_
ASA5505: Primary active unit crash due to mismatched host-limit license
_CSCtt47502
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt47502&Submit=Search>_
showvpn-sessiondb does not show LZS compression stats for Anyconnect
_CSCtt74695
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt74695&Submit=Search>_
wrongvpn-filter gets applied when peers have overlapping address space
_CSCtt96526
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt96526&Submit=Search>_
SharePoint2010:Cannot create new document
_CSCtt98991
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtt98991&Submit=Search>_
ASA: Decrypted VPN packets dropped due to bad-tcp-cksum when using NAT-T
_CSCtu00961
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu00961&Submit=Search>_
Some specific flash file doesn't work through WebVPN on ASA
_CSCtu03117
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu03117&Submit=Search>_
npshim: Shared License Registration Fails w/ Empty TP applied to Int
_CSCtu04723
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu04723&Submit=Search>_
vpnclientmac-exempt cmd inconsistent when adding more than 16 entries
_CSCtu04754
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu04754&Submit=Search>_
ASA may traceback citing Thread Name: qos_metric_daemon as culprit
_CSCtu10620
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu10620&Submit=Search>_
WebVPN:flv file within the Flowplayer object is not played over webvpn
_CSCtu14396
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu14396&Submit=Search>_
ASA has stale ASP classification entries for Anyconnect tunnels
_CSCtu21128
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu21128&Submit=Search>_
cannotpass "=" sign within the value of a parameter for the SSH plugin
_CSCtu26615
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu26615&Submit=Search>_
Clientless VPN paging application failure
_CSCtu27846
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu27846&Submit=Search>_
Backup Shared license server remains ACTIVE even when the Master is up
_CSCtu30581
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu30581&Submit=Search>_
ASA 5580 traceback when CSM attempts deployment
_CSCtu39200
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu39200&Submit=Search>_
ASA traceback in emweb/https while bringing up many webvpn sessions
_CSCtu42772
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu42772&Submit=Search>_
ASA webvpn doesn't rewrite some redirect messages properly
_CSCtu57453
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtu57453&Submit=Search>_
ASA: Traceback after removing 'ip address dhcp setroute' with DDNS
_CSCtv19046
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtv19046&Submit=Search>_
DACL is not applied to AC when connection via the webportal
_CSCtv19854
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtv19854&Submit=Search>_
Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition for user
_CSCtw45576
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw45576&Submit=Search>_
TCP sequence space check ignored in some cases
_CSCtw45723
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw45723&Submit=Search>_
WebVPN: CIFS: Incorrect MIME type for PDF files - iPad/iPhone
_CSCtw50362
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw50362&Submit=Search>_
ASA - Failover message may be lost during transition to active state
_CSCtw52591
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw52591&Submit=Search>_
Environmental SNMP Traps Are Not Available on ASA5585 SSP-40
_CSCtw52716
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw52716&Submit=Search>_
ASA5585 show inventory not updated
_CSCtw55462
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw55462&Submit=Search>_
Traceback: assert failure on thread radius_snd
_CSCtw56707
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw56707&Submit=Search>_
%ASA-3-201011: Connection limit exceeded when not hitting value
_CSCtw56859
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw56859&Submit=Search>_
Natted traffic not getting encrypted after reconfiguring the crypto ACL
_CSCtw58640
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw58640&Submit=Search>_
When ASA sends a username with a "\", WSA logs errors.
_CSCtw58682
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw58682&Submit=Search>_
SSLVPN Portal uses incorrect DNS Group after failover
_CSCtw58945
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw58945&Submit=Search>_
L2TP over IPSec connections fail with ldap authorization and mschapv2
_CSCtw59562
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw59562&Submit=Search>_
ACL Hashes calculated during config migration are wrong
_CSCtw60220
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw60220&Submit=Search>_
Port Address Translation (PAT) causes higher CPU after upgrade
_CSCtw63996
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw63996&Submit=Search>_
Page fault traceback with thread name "pix_flash_config_thread".
_CSCtw71420
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw71420&Submit=Search>_
ASA 5585-X does not provide aggregate system CPU load value via SNMP
_CSCtw75613
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw75613&Submit=Search>_
ASA: Traceback in Unicorn Admin Handler when making DAP changes via ASDM
_CSCtw78059
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw78059&Submit=Search>_
printwarning if interface in logging host cmd conflicts with routes
_CSCtw78415
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw78415&Submit=Search>_
ASA may reload with traceback in Dispatch Unit related to WAAS inspect
_CSCtw84007
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw84007&Submit=Search>_
ASA does not recognize IPv6 VPN filter access-list for AnyConnect client
_CSCtw84087
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw84087&Submit=Search>_
IKEv2: ASA does not re-establish more than one SA after disconnect
_CSCtw89522
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw89522&Submit=Search>_
Cut-through proxy - users unable to log in
_CSCtw90179
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw90179&Submit=Search>_
ASA:In a rare corner case ASA may crash while modifying FQDN object/acl
_CSCtw93059
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw93059&Submit=Search>_
Page fault traceback in crypto_lib_keypair_show_mypubkey_all
_CSCtw95487
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtw95487&Submit=Search>_
ASA mem leak w/EZVPN when Subject DN has Multiple C,O,OU,CN fields.
_CSCtx01251
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx01251&Submit=Search>_
ASA: May traceback in DATAPATH during capture
_CSCtx03464
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx03464&Submit=Search>_
Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit
_CSCtx08182
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx08182&Submit=Search>_
Nas-Port attribute different for authentication and accounting
_CSCtx08346
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx08346&Submit=Search>_
tunnel-group-preference not respected for AnyConnect 3.0 aggregate_auth
_CSCtx08354
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx08354&Submit=Search>_
Traceback when memory low and memory profile enabled
_CSCtx10196
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx10196&Submit=Search>_
Webvpn :Javascript rewrite causing login button to be inactive
_CSCtx11578
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx11578&Submit=Search>_
ASA does not start DPD when phase 1 up but phase 2 down
_CSCtx16166
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx16166&Submit=Search>_
ASA may not log syslogs 611101, 605005 for asdm sessions to certain int
_CSCtx25170
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx25170&Submit=Search>_
Configuring a network object with an invalid range causes traceback
_CSCtx25910
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx25910&Submit=Search>_
class-map doesn't work after replacing ACL
_CSCtx28628
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx28628&Submit=Search>_
Clientless - VLAN assign't under group-policy breaks tunneled dflt route
_CSCtx32455
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx32455&Submit=Search>_
SunRpc: Change from dynamic ACL to pin-hole mechanism
_CSCtx33347
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx33347&Submit=Search>_
Standby ASA traceback while trying to replicate xlates
_CSCtx36026
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx36026&Submit=Search>_
VPN session failure due to auth handle depletion
_CSCtx38644
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx38644&Submit=Search>_
Webvpn: Can't copy & paste in web portal with IE8 and IE9
_CSCtx42643
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx42643&Submit=Search>_
Received unexpected event EV_REMOVE in state AM_WAIT_DELETE
_CSCtx42746
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx42746&Submit=Search>_
cutthrough proxy authentication vulnerability
_CSCtx57829
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx57829&Submit=Search>_
Syslog 324001 Reason string is missing
_CSCtx58556
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx58556&Submit=Search>_
ActiveX RDP Plugin fails to connect from WIn7 PC after upgrade to 8.4(3)
_CSCtx62037
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx62037&Submit=Search>_
"X-CSTP-Tunnel-All-DNS" not properly set in SMP images for split-dns
_CSCtx65353
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx65353&Submit=Search>_
ASA: 8.4 Page fault traceback while displaying "sh run threat-detection"
_CSCtx69008
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69008&Submit=Search>_
ASA: Page Fault traceback in ssh thread when changing IKEv2 config
_CSCtx69018
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69018&Submit=Search>_
MSFT KB2585542 breaks cut-thru proxy and IUA
_CSCtx69059
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69059&Submit=Search>_
Traceback in Unicorn Proxy Thread under heavy WebVPN load
_CSCtx69498
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCtx69498&Submit=Search>_
Traceback when Converting ACL Remarks of 100 Characters
_CSCty11414
<http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCty11414&Submit=Search>_
ASA Crashes or Simply Reloads With Signal 11 in Unicorn Proxy Thread
On 3/26/2012 7:09 PM, Ryan West wrote:
> Thanks for looking, up for a maint window and look what I find from the bug feed:
>
> Bug Id: CSCty32412
> Headline: ASA: Anyconnect u-turn to ipsec tunnel fails after upgrade to 8.4.3.1
> Description: Symptom: ASA after a upgrade to 8.4.3.1 or later, anyconnect traffic that will uturn (hairpin) to a ipsec lan to lan tunnel is dropped. The show asp drop shows the following reason: Expired VPN context (vpn-context-expired) No log message is generated for the drops. Conditions: Anyconnect client uturns into a ipsec lan to lan tunnel. Workaround: 1) downgrade to 8.4.3 2) Use ipsec vpn client as a temporary workaround
> Status: Assigned
> Last Modified date: 2012-03-25 18:09:13.0
> Url: https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty32412
>
> Listed as a sev1.
>
> -ryan
>
> -----Original Message-----
> From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
> Sent: Sunday, March 25, 2012 4:56 PM
> To: Ryan West
> Cc: CCIE Lab
> Subject: Re: OT: Remote Access VPN 8.4(2)+
>
> I'm not in front of an ASA, but I don't believe you need the out,out nat. That's mainly for DNS rewrite.
>
> Have you applied "permit same-security traffic intra"? If the hairpin VPN was working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp, but you mentioned that's been done. The only other item could be your 8.4 equivalent of no-nat.
>
> What does your nat statement look like for the VPN subnets?
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from iJay
>
> On Mar 25, 2012, at 2:10 PM, Ryan West<rwest_at_zyedge.com> wrote:
>
>> Before I go the TAC route, I'm wondering if anyone has come across this one. I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+ versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which have been solved. Remote access VPNs with destinations across site to site tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me, but does not work. The previous method of no nat that translates into a twice nat is also failing.
>>
>> Has anyone come across this type of config and can post a sanitized snippet for the twice nat?
>>
>> For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit intra-interface already configure as well. I'll post configs later.
>>
>> Thanks!
>>
>> -ryan
>>
>> Sent from handheld
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 20:48:56 ART
This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART