cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3118
Views
5
Helpful
10
Replies

CSCuy28710 - DOC ARP source IP sanity check against proxy-arp list

So now Cisco calls "documentation bug" to a software regression. It's quite a coincidence that all the versions affected by this behavior, are the ones where CVE-2016-1287 is fixed.

Any ideas on how to configure proxy-arp on an interface then?

Has anyone tested 9.3(3.7) or 9.5(2.2) to see if they are also affected?

10 Replies 10

Oscar Olsson
Level 1
Level 1

I agree that it's a shame that Cisco can't admit this is a bug rather than a feature enhancement. It would also greatly help if the bug details could clarify if this is the new expected behavior for future software releases from 9.1 going forward or if this behavior is temporary and will be reverted to the "old" interpretation in future releases.

We also had some serious issues with this after an upgrade from 9.1(6) to 9.1(7).

After opening a case last week, I received an update today that there is an interim software release in which only the IKE vulnerability is fixed and no other "features" were added.

Release notes can be found here: http://www.cisco.com/web/software/280775065/123352/ASA-916-Interim-Release-Notes.html

I've also asked the engineer to clarify if this is just a bug or expected behaviour in this and future releases. I'll keep you posted if I got an update on this.

Ditto for us, and not just 9.1(6) to 9.1(7) but 8.3 to 8.4(7)30 also.

You wouldn't believe the amount of new expletives that were made up last week.

So it seems like this is the expected behaviour for all the new releases:

In the old releases and in certain conditions, ASA doesn't check the source of the ARP request, please find the following software bug:

https://tools.cisco.com/bugsearch/bug/CSCuc11186/

 

This issue is fixed in the new releases, and the resolution of this defect introduces a change in the ASA behavior, which most probably is the reason for our issue in this case. You can avoid this behavior in 9.1.7 by modifying the NAT statements, especially with (any) keyword.

 

Also, as I mentioned earlier, our development team and in order to make things easier to the customer, they have implemented the fix for the vulnerability  in 9.1.6.11 which was released yesterday and keep the same old behavior regarding the proxy arp.

They've just updated the bug report and the bug is supposed to be fixed in 9.1(7.2) and 9.4(2.7).

I'll test them whenever they become available for download.

Source: https://tools.cisco.com/bugsearch/bug/CSCuy28710

Sounds interesting.

Could you give us an update whenever you were able to test this?

Thanks!

Those versions are not available for download yet.

We upgraded to 9.1(7)4, and it's working fine for us.

arnert
Level 1
Level 1

I appear to have this issue with 9.6(2)3 on a ASA 5525-x .  Is this a permanent feature or enhancement? Where is the beef so to speak? Anyone know?

Any feedback or worksrounds to this bug? Can I re ip the arp interface to another subnet to get around the issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: